FDA Focuses Attention on Medical Device Cybersecurity Risks
All companies in this day and age must devote some attention to cybersecurity risks. Regardless of industry, almost every entity maintains some form of personally identifiable information that requires protection (e.g., credit card information, Social Security numbers, bank account information, etc.). However, the medical device industry has additional concerns – it must make sure that its Internet or WiFi connected devices do not provide potential for cybersecurity risks because failure to address cybersecurity vulnerabilities can result in compromised device functionality, loss of data, or exposure to security threats resulting in patient illness, injury, or death. Moreover, medical identity theft is on the rise, attributed largely to the worth of medical information to cybercriminals. As medical identify theft often takes time to detect, it allows criminals to accumulate significant amounts of information making it more valuable than other forms of fraud, such as credit card information which is quickly detected and then canceled.
The devices posing the greatest risks are those such as implantable defibrillators, pacemakers, brain stimulators, dialysis devices, and insulin pumps which are connected to another medical or non-medical product, or to a network, or to the Internet.
In late January, the Food and Drug Administration (FDA) held a two-day program intended to inform medical device manufacturers and professionals that prescribe the devices about the steps that can be taken in the premarket process to better protect medical devices from cybersecurity threats. The information provided by the FDA was set forth a recently updated draft guidance the FDA published in October 2018 (the “Guidance”). Adapting the steps set forth in the Guidance will make it more likely the FDA will find the device meets the statutory standard for premarket review.
The FDA does not have the authority to regulate cybersecurity protections. However, the recommendations will be considered as part of the review process of bringing a medical device to market. Federal regulations state that a manufacturer must “establish and maintain procedures for validating the devices design” including “software validation and risk analysis.” 21 CFR 820.30(g). The Guidance states that part of the validation and analysis requires that manufacturers establish a cybersecurity vulnerability and management process, including design controls to endure medical device cybersecurity.
The Guidance states that the FDA considers medical device protection to be a shared responsibility among many including health care facilities, health care providers, patients, as well as manufacturers. The Guidance includes recommendations to:
Limit access to trusted users and devices
Create authentication and check authorizations of safety-critical commands
Ensure trusted content by maintaining code, data, execution integrity
Verify data integrity
Maintain confidentiality of data
Design the device to detect cybersecurity events in a timely manner
Design the device to respond to and contain the impact of a potential cybersecurity incident
The complete Guidance can be viewed by clicking here. The FDA is accepting comments on the Guidance until March 18. We will continue to monitor these developments.