By Suzanne B. Schwartz
Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan.
The industry now has advice from the Food and Drug Administration (FDA) across this product continuum with the release of a final guidance on the postmarket management of medical device cybersecurity. It joins an earlier final guidance on medical device premarket cybersecurity issued in October 2014.
To understand why such guidance is so important for patients, caregivers and the medical device community, we need to take a step back and look at how cybersecurity fits into the medical device ecosystem.
In today’s world of medical devices connected to a hospital’s network or even a patient’s own Internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality.
The best way to combat these threats is for manufacturers to consider cybersecurity throughout the total product lifecycle of a device. In other words, manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.
Today’s postmarket guidance recognizes today’s reality – cybersecurity threats are real, ever-present, and continuously changing. In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety. And as hackers become more sophisticated, these cybersecurity risks will evolve.
With this guidance, we now have an outline of steps the FDA recommends manufacturers take to remain vigilant and continually address the cybersecurity risks of marketed medical devices. Central to these recommendations is FDA’s belief medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks.
This means manufacturers should, among other things:
• Have a way to monitor and detect cybersecurity vulnerabilities in their devices
• Understand, assess and detect the level of risk a vulnerability poses to patient safety
• Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)
• Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can end up exploited and cause harm
This approach enables manufacturers to focus on continuous quality improvement, which is essential to ensuring the safety and effectiveness of medical devices at all stages in the device’s lifecycle.
In addition, it is paramount for manufacturers and stakeholders across the entire ecosystem to consider applying the National Institute of Standards and Technology’s (NIST) core principles for improving critical infrastructure cybersecurity: To identify, protect, detect, respond and recover. It is only through application of these guiding principles, executed alongside best practices such as coordinated vulnerability disclosure, that will allow us all to navigate this uncharted territory of evolving risks to device security.
This is clearly not the end of what FDA will do to address cybersecurity. We will continue to work with all medical device cybersecurity stakeholders to monitor, identify and address threats, and intend to adjust our guidance or issue new guidance, as needed.
Digital connections power great innovation—and medical device cybersecurity must keep pace with that innovation. The same innovations and features that improve health care can increase cybersecurity risks. This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done.
Suzanne B. Schwartz, M.D., M.B.A., is the Food and Drug Administration’s associate director for science and strategic partnerships, at the Center for Devices and Radiological Health. This article was obtained via ICS-CERT.