Key Takeaways from FDA Guidance on Medical Device Cybersecurity

The FDA recently issued a draft guidance—a follow-up of the 2013 cybersecurity safety communication stressing premarket cyberattack preparation—that outlines the important steps medical device manufacturers should take to continually address cybersecurity risks in order to keep patients safe and better protect the public health.

The risk inherent in networked medical devices is an increasingly talked-about topic, as healthcare makes significant strides towards the digital era; however the security concerns with medical devices, particularly those connected to the Internet, are growing rapidly. This draft guidance is part of the FDA’s ongoing efforts to ensure the safety and effectiveness of medical devices, at all states in their lifecycle, in the face of potential cyber threats.

High Value Data Equals High Level Risks

Given the high value that compromised data can command on the black market, thanks to the digitization and sharing of medical records, researchers predict that companies in the healthcare industry will remain one of the most targeted sectors by attackers, particularly with networked medical devices.

The FDA states in the guidance that medical device companies are responsible for ensuring the “essential clinical performance” of their devices is not compromised. Critical to this plan is considering the exploitability of cybersecurity vulnerability; such exploitation can result in compromised safety of patients and effectiveness of medical devices.

In fact, the draft guidance warns about the severity of the health impact to patients if private data is exploited. Unlike the data breaches involving credit card numbers and other personal information where the outcome is more often remote and speculative, the risk of harm is paramount in medical devices that, if hacked, could pose serious physical harm to patients. According to security researcher Lysa Meyers, “Medical records are likely to remain a tempting target as long as there is a sufficient return on criminals’ investment of time and effort.”

What to Consider in a Cybersecurity Plan:

Manufacturers must formulate a solid cybersecurity plan to understand, assess, and detect a vulnerability’s presence and impact, as well as streamline the communication process around it. The following include some of FDA’s recommendations:

  • Enter into an Information Sharing and Analysis Organization (ISAO). Collaboration is a key part of the FDA’s plan because it promotes a proactive approach to cybersecurity management. Sharing cyber risk information and intelligence within the medical device community, such as organizations like NH-ISAC, can enhance management of individual cybersecurity vulnerabilities and is “integral to a successful postmarket cybersecurity surveillance 330 program.”
  • Perform cybersecurity routine updates or patches. This applies particularly to any vulnerability that would compromise the “clinical performance of a device” and “present a reasonable probability of serious adverse health consequences or death,” of which the FDA would have to be notified. Routine updates promote “good cyber hygiene” by assessing postmarket information, employing a risk-based approach to characterizing vulnerabilities, and timely implementation of necessary actions (all of which can further mitigate emerging cybersecurity risks and reduce the impact to patients).
  • Ensure proper risk assessment. The FDA recognizes that not all risks must be mitigated. Instead, companies should use the risk assessment to make determinations of whether a risk is “controlled” or “uncontrolled,” meaning acceptable or unacceptable. The guidance also stresses that while manufacturers can incorporate controls in the design of a product to help prevent risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.

It is clear that FDA, like many government agencies, is concerned with the threat of cybersecurity breaches, both intentional and accidental; manufacturers and healthcare organizations can no longer procrastinate proper security. The guidance offers a robust outline of how to mitigate cybersecurity risks, and if organizations address such tactics during the design and development of medical devices, the resulting impact will be greater patient safety and much fewer harmful cyber data breaches.