Late last week, the Food and Drug Administration released its “cybersecurity” guidance, outlining recommendations that manufacturers “should consider” in order to protect patient information that may be stored on medical devices or transferred between wireless systems. The FDA recommends companies beef up their premarket submissions to FDA with specific information related to their cybersecurity measures.
The risks associated with potential hacks of wireless medical devices gained some media attention last year. Former vice president Dick Cheney, who relied on a pacemaker, an implantable defibrillator and a left ventricular assist device before undergoing a heart transplant, noted he stopped using his device because he worried that hackers could crash the computerized implants.
While cyber-attacks have so far only played out in lab simulations as far as we know, the potential risks are well documented. For example, an article in Bloomberg outlined a demonstration where wireless-enabled insulin pumps could be remotely manipulated to deliver a lethal dose to a patient wearing the device. A major problem, the article notes, is that devices can’t currently be updated without being recalled, unlike cell phones, for examples, that are constantly getting security fixes.
FDA’s guidance, entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, seeks to address the need for “effective cybersecurity.”
The agency defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”
Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly “connected” to the Internet, hospital networks, and to other medical devices.
FDA notes that they consider cybersecurity risks just like any other risk in their decision to approve a device:
All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when the probable benefits to patients outweigh the probable risks. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase health care providers’ ability to treat patients.
In order to mitigate and manage cybersecurity threats, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats, which could be caused by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.
“By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage system or software updates, manufacturers can reduce the vulnerability in their medical devices,” FDA states.
FDA Recommendations:
Manufacturers should address cybersecurity during the design and development of the medical device, “as this can result in more robust and efficient mitigation of patient risks.” FDA states. The approach should address the following elements.
FDA walks through what device manufacturers should provide to FDA in their premarket submissions related to cyber security. The agency mentions five documents in particular where this guidance applies: 510(k)s, de novo submissions, premarket approval applications, product development protocals, and humanitarian device exemption.
- A specific list of all cybersecurity risks that were considered in the design of the device and a list, and justification for all cybersecurity controls that were established for the device.
- A “traceability matrix” that links the actual cybersecurity controls to the cybersecurity risks that were considered;
- A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness. “The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity,” the agency notes.
- A summary describing controls that are in place to assure that the medical device software will remain free of malware from the point of origin to the point at which that device leaves the control of the manufacturer; and
- Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall).
FDA also lists “Recognized Standards” related to IT and device security in the guidance.
To follow up on their guidance, FDA will hold a public workshop entitled “Collaborative Approaches for Medical Device and Healthcare Cybersecurity,” on October 21–22, 2014, in Arlington, VA.
A webinar to explain the cyber security guidance and provide a forum for questions will follow on October 29, 2014, from 2 to 3 p.m. ET.