According to a recent press release, the U.S. Food and Drug Administration finalized recommendations to manufacturers for managing cyber security risks to better protect patient health and information.
The final guidance, titled “Content of Premarket Submissions for Management of Cyber security in Medical Devices,” recommends that manufacturers consider cyber security risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks.
The guidance also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software.
As medical devices become more interconnected and inter-operable, they can improve the care patients receive and create efficiency in the healthcare system. Some medical devices, like computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. By carefully considering possible cyber security risks while designing medical devices, and having a plan to manage system or software updates, manufacturers can reduce the vulnerability in their medical devices.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, M.D., MBA, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cyber security and to appropriately protect patients from those risks.”
The FDA’s concerns about cyber security vulnerabilities include malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data; unsecured or uncontrolled distribution of passwords; failure to provide timely security software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network.
The FDA has neither an indication that specific devices or systems have been purposely targeted, nor reports that any patients have been harmed as a result of cyber security breaches, but remains concerned about device-related cyber security vulnerabilities and their potential to adversely impact public health.
The FDA has been working closely with other federal agencies and the medical device industry to identify and communicate with stakeholders about vulnerabilities. The agency is planning a public workshop this fall to discuss how the government, medical device developers, hospitals, cyber security professionals, and other key stakeholders can collaborate to improve the cyber security of medical devices and protect the public health.
The FDA, an agency within the U.S. Department of Health and Human Services, protects the public health by assuring the safety, effectiveness, and security of human and veterinary drugs, vaccines and other biological products for human use, and medical devices. The agency is also responsible for the safety and security of our nation’s food supply, cosmetics, dietary supplements, products that give off electronic radiation, and for regulating tobacco products.