FDA issues industry guidance to secure networked medical devices
The Food and Drug Administration has released final guidance on the post-market management of cybersecurity in medical devices. Of particular concern is the growing number of networked medical devices, the vulnerabilities of which could potentially put patient safety at risk.
“Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats,” states the FDA’s guidance. “The exploitation of vulnerabilities may represent a risk to health and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the overall risk to health.”
Writing in a December 27 blog, Suzanne Schwartz, MD, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, emphasizes that manufacturers must consider cybersecurity throughout the product lifecycle of devices, building in cybersecurity controls when they design and develop them as well continuously monitoring and addressing cybersecurity concerns after devices are on the market.
“In today’s world of medical devices that are connected to a hospital’s network or even a patient’s own Internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality,” contends Schwartz.
According to Schwartz, the FDA’s guidance “recognizes today’s reality—cybersecurity threats are real, ever-present, and continuously changing.” She notes that hospital networks in particular “experience constant attempts of intrusion and attack, which can pose a threat to patient safety” and “as hackers become more sophisticated, these cybersecurity risks will evolve.”
Last year, the FDA alerted users of a computerized infusion pump—which communicates with hospital information systems via a wired or wireless connection over facility network infrastructures—that it had serious cybersecurity vulnerabilities that could put patient safety at risk. As a result, the regulatory agency advised healthcare facilities to disconnect the pumps from their networks to reduce the risk of unauthorized system access.
While the document contains nonbinding recommendations for industry, the FDA’s guidance emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post-market management of medical devices.
Among regulatory agency’s recommendations to industry:
- Have a way to monitor and detect cybersecurity vulnerabilities in their devices.
- Understand, assess and detect the level of risk a vulnerability poses to patient safety.
- Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities, known as a “coordinated vulnerability disclosure policy.”
- Deploy mitigations, such as software patches, to address cybersecurity issues early, before they can be exploited and cause harm.
“This guidance recommends how to assess whether the risk of patient harm is sufficiently controlled or uncontrolled,” according to the FDA. “This assessment is based on an evaluation of the likelihood of exploit, the impact of exploitation on the device’s safety and essential performance, and the severity of patient harm if exploited.”
The guidance applies to any marketed and distributed medical device including:
- Medical devices that contain software (including firmware) or programmable logic.
- Software that is a medical device, including mobile medical applications.
- Medical devices that are considered part of an interoperable system and to legacy devices, for example, devices that are already on the market or in use.
In addition, the regulatory agency’s document establishes a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the FDA as well as outlines circumstances in which it does not intend to enforce reporting requirements.