With the issuance of its final guidance in December 2016, the FDA has extended its recommendations to digital health and medical device manufacturers on how to protect the public health from cybersecurity vulnerabilities. Researchers in the past have been able to hack into devices such as pacemakers and insulin pumps, greatly legitimizing the concern that unsecured devices are vulnerable to tampering by hackers, with potentially devastating results. In 2016, ethical hackers were able to break into a Baltimore-area hospital system remotely and commandeer computer systems that track medicine delivery and bloodwork requests. And earlier this year Homeland Security issued a warning that certain heart devices may be hacked, requiring the manufacturer to roll out a software fix.
According to the FDA: “Digital connections power great innovation — and medical device cybersecurity must keep pace with that innovation. The same innovations and features that improve health care can increase cybersecurity risks. This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done.”
As a cloud-based solutions provider that works within the healthcare sector, we’ve heard a lot of questions as well as some dubious recommendations on how to follow the guidance. We’ve heard everything from “What’s the best way to monitor for vulnerabilities?” to “Are you sure our device falls under HIPAA?” or even “Our online risk assessment says we’re fine.” The fact the release is only a “guidance” document means the FDA’s authority to enforce it remains unclear.
Patients and providers are increasingly relying on medical devices and especially the safety of those devices. Not only the safety of how the device functions and how it supports care, but how immune it is to cyberattacks. If the device isn’t safe from cyberattacks, then patient safety is at risk.
How can digital health and medical device manufacturers better manage cybersecurity risk?
Start with understanding the findings of your cybersecurity risk assessment. If you haven’t conducted one, then please, start there. Next, ask yourself these questions:
- Have you considered cybersecurity from designing to development to deployment?
- Do you have a way to check for device vulnerabilities?
- Have you conducted a risk assessment and do the risks impact patient safety?
- If the medical device is compromised, can it perform? If it can perform, what other risks are created?
- How do you communicate what the risks and vulnerabilities are?
- How do you mitigate those risks? Have you built in a system to deploy critical updates such as software patches?
If you’d like to better understand the FDA’s guidance on Postmarket Management of Cybersecurity in Medical Devices, join us at the Health Care Cloud Coalition Webinar on April 13th where two of the FDA’s digital health and cybersecurity experts will discuss the guidance, its intent, and how it applies to mobile medical application.