“There is no such thing as a threat-proof medical device.”
Suzanne Schwartz, M.D., MBA, director of emergency preparedness and medical countermeasures at the FDA’s Center for Devices and Radiological Health.
Two months after finalizing its first guidance on cybersecurity, the FDA has announced a public workshop entitled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity” to continue to address a growing safety consideration.
Since 2013, the FDA and other organizations have taken increased steps to address cybersecurity in the medical device industry. In summer 2015, the FDA issued its first cybersecurity alert for a network enabled computerized pump designed for general infusion therapy. Both the manufacturer and an independent research confirmed that the pump was vulnerable to access by an unauthorized remote user through the networked hospital information system. The unauthorized user could then modify the dosage the pump delivers to a patient. While no actual incidents were reported, both the manufacturer and the FDA recommended all hospitals immediately transition to other devices or at least disconnect the pump from the network and run offline as a temporary solution.
Other past efforts by the FDA to address cybersecurity include the white paper Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software, and a 2014 public workshop to seek further input from the public health sector on medical device and general health care cybersecurity.
The stated purposes of the January 2016 workshop are multifaceted and designed to take a comprehensive look at the state of the medical device cybersecurity. The purposes include: highlighting past collaborative efforts between agencies, increasing awareness of models for benchmarking organizational cybersecurity status, reviewing standards and tools in development to address cybersecurity risk, and discussing unresolved gaps and challenges in advancing medical device cybersecurity.
The workshop will also bring together a diverse set of stakeholders including the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services and the Department of Homeland Security.
The workshop is planned for January 20-21, 2016, from 9:00 am – 5:30 pm at the FDA White Oak Campus in Silver Spring, Maryland. Registration is free and the meeting will also be webcast.