How the FDA is addressing cybersecurity for medical devices
The U.S. Food and Drug Administration strives to ensure that all approved or cleared medical devices are safe for patients. Providing evidence that new medical products will not lead to harm often involves proving they are largely similar to already approved devices or offering evidence from scientific studies. However, the threat of hacking has opened up fresh areas of concern among regulators and could have wide-reaching implications for the future of research and design.
As part of the product development process, medical device makers must now account for the possibility of cybersecurity threats. Protecting confidential health records is a top priority for health care providers, and taking the necessary steps can make a major difference in the future success of a product. Manufacturers can begin by familiarizing themselves with common security threats, their consequences and the current recommendations from the FDA.
Why cybersecurity matters
"Medical devices are increasingly connected to networks."
Medical devices are increasingly connected to networks as a means to share important data. A variety of confidential records may be widely available across a network and stored for a number of years. While making this information readily accessible to staff and patients can have benefits for care, it also creates the possibility for exploitation.
Unauthorized exposure of health care data is a serious and all-too-common problem. Over the past seven years, the U.S. Department of Health and Human Services has reported over 1,900 breaches of protected health care information, each of which affected at least 500 individuals. A 2016 study from IBM estimated costs of $363 per compromised record, the highest for any industry.
Hackers consider health care institutions and insurers tempting targets because of the volume of potentially valuable information retained in their systems. Home addresses, Social Security numbers, birth dates and other data can be used in identity theft or other forms of fraud, which means they are lucrative commodities on the black market. In some cases, records may even be seized for espionage purposes.
Adding to the problem, hackers know that health care providers have a strong interest in protecting that data and keeping their networks running smoothly. As a result, ransomware attacks have become another common tactic. ComputerWorld explained there have been several cases in which attackers went after hospitals or third-party vendors by gaining access to databases or disabling systems and then demanding payment.
Protecting medical devices
Regulators have realized that heading off the pressing danger from hackers calls for updated, proactive measures. Specifically, officials at the FDA turned their attention to the possibility that attackers may use vulnerable devices as an entry point to gain access to medical systems and records. The FDA has reacted to this risk by issuing guidance on medical device premarket cybersecurity.
The document calls for manufacturers to keep security threats in mind through every step of creating a new product by:
- Monitoring all devices for vulnerabilities.
- Setting a coordinated vulnerability disclosure policy involving collaboration with cybersecurity researchers.
- Assessing the risk to patient safety from any detected vulnerability.
- Routinely providing software patches or other fixes to manage openings in cybersecurity before hackers are able to take advantage of them.
The FDA's recommendations set the agenda for how device makers should approach network security in the medical device development process. Suzanne Schwartz, the associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, discussed the FDA's approach with The Hill.
"This is what we said to manufacturers; one should consider the environment a hostile environment, there are constant attempts at intrusion … and they have to be hardened," she said.
On April 12, the department went beyond offering guidelines, warning Abbott Labs that the organization must tend to security weaknesses in implanted cardiac devices. Those devices were included when the company acquired St. Jude Medical. The FDA's letter allowed 15 days for Abbott to submit a plan for eliminating the potential security threat.
As this incident demonstrates, cybersecurity is now a high priority for regulators and the companies creating innovative medical products. Of course, makers of medical devices alone cannot shoulder the need for enhanced protection of confidential information. According to the FDA's guidance, manufacturers share the responsibility for security with health care facilities and providers, as well as the patients themselves.
Still, cybersecurity for medical devices starts with new product design and development. Manufacturers must be aware of both the shifting tactics of hackers and the changing expectations from regulators. When organizations keep the safety of confidential information at the forefront of how they create new products, the devices are positioned to pass through the approval or clearance process and meet the emerging challenges in the marketplace.