The FDA recently issued a draft guidance—a follow-up of the 2013 cybersecurity safety communication stressing premarket cyberattack preparation—that outlines the important steps medical device manufacturers should take to continually address cybersecurity risks in order to keep patients safe and better protect the public health.
The risk inherent in networked medical devices is an increasingly talked-about topic, as healthcare makes significant strides towards the digital era; however the security concerns with medical devices, particularly those connected to the Internet, are growing rapidly. This draft guidance is part of the FDA’s ongoing efforts to ensure the safety and effectiveness of medical devices, at all states in their lifecycle, in the face of potential cyber threats.
Given the high value that compromised data can command on the black market, thanks to the digitization and sharing of medical records, researchers predict that companies in the healthcare industry will remain one of the most targeted sectors by attackers, particularly with networked medical devices.
The FDA states in the guidance that medical device companies are responsible for ensuring the “essential clinical performance” of their devices is not compromised. Critical to this plan is considering the exploitability of cybersecurity vulnerability; such exploitation can result in compromised safety of patients and effectiveness of medical devices.
In fact, the draft guidance warns about the severity of the health impact to patients if private data is exploited. Unlike the data breaches involving credit card numbers and other personal information where the outcome is more often remote and speculative, the risk of harm is paramount in medical devices that, if hacked, could pose serious physical harm to patients. According to security researcher Lysa Meyers, “Medical records are likely to remain a tempting target as long as there is a sufficient return on criminals’ investment of time and effort.”
Manufacturers must formulate a solid cybersecurity plan to understand, assess, and detect a vulnerability’s presence and impact, as well as streamline the communication process around it. The following include some of FDA’s recommendations:
It is clear that FDA, like many government agencies, is concerned with the threat of cybersecurity breaches, both intentional and accidental; manufacturers and healthcare organizations can no longer procrastinate proper security. The guidance offers a robust outline of how to mitigate cybersecurity risks, and if organizations address such tactics during the design and development of medical devices, the resulting impact will be greater patient safety and much fewer harmful cyber data breaches.