- Healthcare is becoming increasingly reliant on connected devices, which is why medical device security must remain a top priority. Cybersecurity threats are a constant worry but the FDA aims to help healthcare organizations remain innovative while still ensuring patient safety.
There must be a total product lifecycle approach, according to Suzanne B. Schwartz, M.D., M.B.A., who serves as FDA Associate Director for Science and Strategic Partnerships at the Center for Devices and Radiological Health.
Security must be built in at the product design phase but there must also be a plan for managing any risks that might emerge, Schwartz wrote in a blog post. Entities should also be planning for how to reduce the likelihood of potential future risks.
“FDA encourages medical device manufacturers to proactively update and patch devices in a safe and timely manner,” she explained. “The concept of updates and patches, while not new to traditional information technologies, is complex when it comes to critical safety systems and requires a collaborative approach to finding solutions.”
Schwartz also cited specific agency guidance where FDA recommends “comprehensive management of medical device cybersecurity risks throughout the total product life cycle.”
Finalized in December 2016, “Postmarket Management of Cybersecurity in Medical Devices” states that cybersecurity risks and vulnerabilities must be considered during the design, development, production, distribution, deployment and maintenance of the device.
“A growing number of medical devices are designed to be networked to facilitate patient care,” the guidance stated. “Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats.”
There are also numerous myths surrounding FDA’s role with medical device cybersecurity, Schwartz pointed out. For example, FDA is not the only federal government agency responsible for the cybersecurity of medical devices. The agency instead works with other federal government agencies (i.e. the Department of Homeland Security), the private sector, and medical device manufacturers.
FDA also does not test medical devices for cybersecurity, according to an agency fact sheet. Medical product manufacturers are responsible for medical product premarket testing and FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.
Overall, Schwartz maintained that a plan to address cybersecurity risks is critical in the ever-evolving healthcare industry, especially as device development continues to progress.
“Working with the medical device industry and other federal agencies, FDA will continue its work to ensure the safety and effectiveness of medical devices at all stages of their lifecycles against potential cyber threats,” Schwartz said.
Potential patient safety concerns stemming from medical device vulnerabilities were also discussed in a recent paper published on the Journal of the American Medical Association (JAMA). The paper also stressed the importance of collaboration and communication for prioritizing patient safety in an evolving industry.
Lead authors Daniel B. Kramer, MD, MPH and Kevin Fu, PhD specifically discussed possible risks to data security and patient safety with cardiac implantable electrical devices. The duo cited the August 2017 FDA safety communication on pacemaker models made by St Jude Medical.
“As software and remote monitoring become embedded in more medical devices, such as diabetes management systems and sleep apnea devices, cybersecurity concerns will inevitably increase the risk of advisories affecting a wider scope of patients,” the duo explained. “Therefore, it is important to consider the ways in which patients and clinicians might prepare for such events, and the optimal ways for manufacturers and the FDA to engage the public around this emerging area of postmarketing surveillance.”
While FDA acknowledged the theoretical risks with wireless technology, it was not specified whether devices from other manufacturers were likely affected by this same set of vulnerabilities, the paper noted.
“The FDA might have leveraged the safety communication to specifically identify whether there is an industry-wide concern, and to clarify current security standards established by regulators for new device approval,” the authors suggested. “This guidance might also proactively reassure the millions of patients who have pacemakers that are not subject to the advisory, a model for communication that may serve the public well going forward.”
It also could have been beneficial for the agency to make a partnership with “industry to formally pilot the corrective action to acquire clinical data and user feedback, and to allow for ongoing quantification of the actual adverse event rate from implementing the solution in particular.”
Kramer and Fu did commend FDA for collaborating with cybersecurity experts across government agencies, academia, and industry for identifying and characterizing potential threats and then providing necessary guidance.
“However, the experience with this pacemaker advisory should serve as a reminder to the broader clinical community that an entirely new class of potential medical device malfunction is likely to become increasingly common,” the duo concluded. “Patients and clinicians need to appreciate these risks alongside the convenience and diagnostic and therapeutic potential of remotely connected devices.”