11.13.14
Protecting patients by safeguarding device security is the key focus for a new U.S. Food and Drug Administration (FDA) guidance document. Preventing unauthorized software changes and ensuring that patient-specific data is secure are both central topics of new guidelines for medtech manufacturers.
Medical devices have been increasing in complexity, particularly regarding software and computer control systems. In many ways, medical devices have not received similar levels of cybersecurity focus as other areas of the medical industry.
“When one looks at the issue of medical device security, it becomes very apparent that medical devices historically have not had security sufficiently or robustly designed in as a part of the development process,” said Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety, and Security Consortium. “The consequence is that the most vulnerable devices on a hospital IT backbone today are the medical devices, and those medical devices are directly responsible for patient care.”
Medical devices that incorporate software are potentially at risk from a patient safety and efficacy standpoint. For example, if the software can be accessed and changed by an unauthorized user, the device could function differently than intended, changing how the patient is treated and perhaps causing injury or harm.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, M.D., MBA, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
The cybersecurity guidance document contains non-binding recommendations to medical device manufacturers. The main goal is to include cybersecurity as a component in the design and development process, which will help identify risks specific to each device.
To guide these activities, a cybersecurity framework recommended by the FDA was developed and includes the following elements:
Medical devices have been increasing in complexity, particularly regarding software and computer control systems. In many ways, medical devices have not received similar levels of cybersecurity focus as other areas of the medical industry.
“When one looks at the issue of medical device security, it becomes very apparent that medical devices historically have not had security sufficiently or robustly designed in as a part of the development process,” said Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety, and Security Consortium. “The consequence is that the most vulnerable devices on a hospital IT backbone today are the medical devices, and those medical devices are directly responsible for patient care.”
Medical devices that incorporate software are potentially at risk from a patient safety and efficacy standpoint. For example, if the software can be accessed and changed by an unauthorized user, the device could function differently than intended, changing how the patient is treated and perhaps causing injury or harm.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, M.D., MBA, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
The cybersecurity guidance document contains non-binding recommendations to medical device manufacturers. The main goal is to include cybersecurity as a component in the design and development process, which will help identify risks specific to each device.
To guide these activities, a cybersecurity framework recommended by the FDA was developed and includes the following elements:
- Identification of assets, threats, and vulnerabilities;
- Assessment of the impact of threats and vulnerabilities on device functionality and end users;
- Assessment of the likelihood of a threat and of a vulnerability being exploited;
- Determination of risk levels and suitable mitigation strategies; and
- Assessment of residual risk and risk acceptance criteria.