by
Lauren Dubinsky, Senior Reporter | October 03, 2014
The FDA released finalized recommendations on Wednesday for medical device manufacturers on how to manage cybersecurity risks. With the recent slew of security breaches at hospitals, cybersecurity is becoming a top priority.
The guidance, which is called, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," recommends that manufacturers incorporate cybersecurity risks into their design and development process.
The FDA stated in the guidance that medical device security is a shared responsibility between health care facilities, patients, physicians and manufacturers. "Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats," according to the guidance. "This in turn may have the potential to result in patient illness, injury, or death."
The agency wants them to provide documentation that cites the risks and how they have mitigated those risks. They also want them to submit plans on how they will update operating systems and medical software to prevent cybersecurity issues.
Medical devices that can connect to other devices, the Internet or other networks are especially susceptible to security breaches. But those breaches could be avoided by identifying those risks in the development process and creating a strategy to regulate systems or software updates.
"There is no such thing as a threat-proof medical device," Dr. Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health, said in a statement. "It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks."
Among the cybersecurity threats to medical devices are malware infections, sharing passwords in an unsecure manner, not updating software or patching medical devices and networks in a timely fashion and security vulnerabilities in off-the-shelf software to prevent unauthorized access to the device or network.
Even though the FDA doesn't have any reason to believe that a specific device or system is the target of a cybersecurity threat and there aren't any reports about patients being harmed after a breach, they still view it as a concern that has the potential to "adversely impact" public health.
Back to HCB News