With the increase of advanced technology in medical devices comes a heightened risk of cybersecurity issues. Device companies continue to roll out smart products connected to the Internet, hospital systems, patients and to other devices. Further, as cloud-based software and mobile apps shape companies’ digital health initiatives, more attention is being paid to the security of these products and the data they store.
In order to address this development and stay current with the evolving technological landscape and increased insight into cyber threats, FDA has taken several steps to address cybersecurity.
In October, FDA issued a draft guidance document, “Content for Premarket Submissions for Management of Cybersecurity in Medical Devices,” which updates its original 2014 guidance document with revised recommendations.
“In recent years, we’ve witnessed the far-reaching and negative consequences of successful cyber campaigns on organizations,” FDA Commissioner Scott Gottlieb, M.D. said. “Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted.“
Among the new recommendations is the cybersecurity bill of materials. This list comprises the software and hardware components of a medical device that may be vulnerable to cyber threats. The goal is to make healthcare facilities and end users aware of security issues and allow them to appropriately prepare for those vulnerabilities. FDA opened a comment period on the new draft guidance document through March 18, 2019, after which the new recommendations will be finalized.
Further, FDA is entering into agreement with the U.S. Department of Homeland Security (DHS). This agreement, between the Center for Devices and Radiological Health and the DHS’ Office of Cybersecurity and Communications, aims to “encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats."
The agency also has published a “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook,” in partnership with the MITRE Corporation. The playbook describes readiness activities that will enable healthcare delivery organizations to be better prepared for a cybersecurity incident involving their medical devices.
As a reminder, as part of its original 2014 guidance on mitigating cybersecurity risks, FDA recommends that companies identify threats and vulnerabilities, assess the impact of those on device functionality and end users, assess the likelihood of a threat or vulnerability to occur, determine risk levels and suitable mitigation strategies and assess residual risk and risk acceptance criteria.