Medical Device Cybersecurity Draft Guidance Issued By FDA

Federal regulators have proposed new guidance for how the medical device industry should address potential cybersecurity risks, with an increasing number of “connected” devices being implanted into patients throughout the U.S.

Proposed medical device cybersecurity draft guidance was issued by the FDA on January 15, outlining important steps medical device manufacturers should take to proactively plan for and to assess vulnerabilities, to keep patients safe and better protect public health.

The Device Regulation and Guidance recommendations are not binding to medical device manufacturers, but rather a series of suggestions to manufacturers as a preemptive measure.

In the guidelines, the FDA is encouraging hospitals and medical device manufacturers to monitor cybersecurity information sources for identification and detection of hacking risks, increase cybersecurity detections and assessment methods, better understand the impact certain vulnerabilities pose to patients, adopt a coordinated vulnerability disclosure policy, and initiate mitigation practices that address cybersecurity risks before they are exploited.

Under current U.S. regulations, medical device manufacturers and hospitals largely handle cybersecurity risks and incidents on their own terms. It is only when cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and pose serious adverse health consequences or death to patients, that the FDA is required to be notified.

Under the new drafted guidance, the FDA indicates it will not need to be notified in cases where the vulnerability is addressed quickly and in a way to mitigate any potential harm to patients.

Other conditions that do not warrant FDA notification include when there is no threat to patient wellness or life, that the manufacturer notifies the users immediately, and that the manufacturer is a participating member of an Information Sharing and Analysis Organization (ISAO). The company would be required to submit its vulnerability report, assessment and remediation to their associated ISAO.

Cybersecurity threats to the medical field have been a growing concern over the last few years as vulnerabilities to healthcare organizations record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The Department of Health and Human Services (DHHS) manager, Jason Lay, has called the exposed vulnerabilities in the medical field a danger. Lay claimed the possibility of hacks to medical devices are a very real possibility, stating hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations health record systems.

Additionally, in a demonstration at the RSA security conference in San Francisco in 2012, researchers were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The FDA has been actively working on improving cybersecurity in the medical field since 2013 when the White House issued Executive Order 13636, which called on the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure. Since the order, the FDA issued its first guidance in October 2014, recommending medical device manufactures to incorporate strong anti-hack programs during the design stages of device development.

The FDA’s recent cybersecurity recommendations are being introduced on the core principles of “Identify, Protect, Detect, Respond and Recover.” As the guidelines indicate, the FDA is urging medical device manufacturers and hospitals to incorporate better information sharing to identify potential threats before any damages can occur.