The scary reality as more medical devices become interconnected and attached to a network is that those connections unveil new entry points for cyber threats. The Food and Drug Administration released final guidance Wednesday recommending that manufacturers take those security concerns into account from the inception of their design to mitigate cyber risks.
The guidance — “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” — recognizes key security steps manufacturers should take before submitting their devices for approval, such as identifying existing risks and assessing their impacts and likelihood of happening, exploring ways to limit device access and entrusting the security of its content and implementing features to detect and respond to any attacks. Failure to so “can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death,” the document states.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
There’s a host of threats the FDA has its crosshairs on with these recommendations, including malware, unsecured or uncontrolled distribution of passwords, poor management of software updates and patches and other vulnerabilities from software or apps designed to prevent unauthorized access to the device.
Along with the guidance, FDA asks that manufacturers submit documentations about the risks involved with a planned device and how it plans to mitigate those risks, as well as any plans for patches or updates to operating systems or software.
While the FDA said cyber threats to medical devices are only perceived at this point and there are no reports “that any patients have been harmed as a result of cybersecurity breaches,” it is concerned of the possibility, one that’s surfaces in popular culture recently. Reports late last year surfaced that former Vice President Dick Cheney had his physician turn off the wireless feature of his pacemaker, fearing someone could hack it and alter its functioning to attack him. Cheney began questioning the possibility of such an attack when he saw an episode of Showtime’s “Homeland” in which the fictional American vice president was assassinated in that exact manner.
Of course, that’s just one extreme end of the spectrum. The FDA is also concerned with keeping personal medical information and other assets secure from intruders as well.
The FDA has planned a workshop in October during which it will gather other government representatives, manufacturers, the medical industry, hospitals, cybersecurity professionals and others to collaborate on best practices for medical device security. This new guidance will complement prior FDA guidance for medical devices using software, and like it, these new recommendations are strong suggestions but not legal regulations or statutory requirements.