FDA Releases Cybersecurity Guidance Document, Aims To Reduce Patient Risk
By Chuck Seegert, Ph.D.
Protecting patients by safeguarding device security is the key focus for a new FDA guidance document. Preventing unauthorized software changes and ensuring that patient-specific data is secure are both central topics of the new guidelines for medical device manufacturers.
Medical devices have been increasing in complexity, which is especially true with regard to software and computer control systems. In many ways, medical devices have not received similar levels of cybersecurity focus that other areas of the medical industry have.
“When one looks at the issue of medical device security, it becomes very apparent that medical devices historically have not had security sufficiently or robustly designed in as a part of the development process,” said Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety, and Security Consortium (MDISS) and moderator of a panel at AdvaMed 2014 called Medical Device Security: Market-Driven Improvement for the Medical Device Industry. “The consequence is that the most vulnerable devices on a hospital IT backbone today are the medical devices, and those medical devices are directly responsible for patient care.”
Medical devices that incorporate software are potentially at risk from a patient safety and efficacy standpoint. For example, if the software can be accessed and changed by an unauthorized user, the device could function differently than intended, changing how the patient is treated and perhaps causing injury or harm. Additionally, the unauthorized access of secure patient information is of concern as well.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, M.D., MBA, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, in a recent press release. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
The cybersecurity guidance document is about nine pages and contains non-binding recommendations to medical device manufacturers. The main goal is to include cybersecurity as a component in the design and development process, which will help identify risks specific to each device. To guide these activities, a cybersecurity framework recommended by the FDA was developed and includes the following elements:
- Identification of assets, threats, and vulnerabilities
- Assessment of the impact of threats and vulnerabilities on device functionality and end users
- Assessment of the likelihood of a threat and of a vulnerability being exploited
- Determination of risk levels and suitable mitigation strategies
- Assessment of residual risk and risk acceptance criteria