As the regulator attempts to play catch-up with the fast-evolving world of connected devices by issuing guidance, critics fear the regulations fail to fully address the complexity of cyber threats.
In a bid to bolster the safety of medical devices, which have become increasingly interconnected and interoperable, the regulator finalized recommendations to manufacturers for managing cybersecurity risks to better safeguard patient health and information.
The guidance comes amid concerns about cybersecurity vulnerabilities, including malware infections on network-connected medical devices or computers and mobile devices used to access patient data, and failure to provide timely security software updates and patches to medical devices and networks, among others. According to a report by PwC, 47 percent of healthcare providers and payer respondents have integrated consumer products such as wearables or operational technologies such as automated pharmacy-dispensing systems, while only 53 percent employed security controls for these devices.
The agency issued the guidance to supplement previously released information, and while it views medical device security as a shared responsibility between stakeholders, the FDA called on manufacturers to “develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety.”
The final guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” recommends that cybersecurity risks be taken into account as part of the design and development of a medical device, and that documentation be submitted to the FDA about the risks identified and measures established to mitigate those risks. The guidance also advises manufacturers to submit their plans for providing patches and updates to operating systems and medical software.
The FDA recommended developers take the following precautions:
- Identify assets, threats and vulnerabilities;
- Assess the impact of threats and vulnerabilities on device functionality and end users;
- Rate the likelihood of a threat or vulnerability being exploited;
- Determine risk levels and mitigation strategies; and
- Assess residual risk and risk acceptance criteria.
Though the regulator’s efforts are well-intended, certain experts are arguing that the guidance came in too late. Ryan Kalember, chief product officer at WatchDox, said that while the FDA’s guidance focuses largely on security at the point of manufacture, the data is the real risk, not the device. According to Kalember, the FDA’s approach won’t likely be sufficient in protecting from security breaches because the data is most vulnerable when in transit.
According to Chris Petersen, chief technology officer and co-founder of LogRhythm, the FDA waited too long to issue these guidelines, contending the guidance puts the spotlight on devices moving forward, but it fails to address the millions of IP-enabled devices already in operation across healthcare networks globally.
Though there haven’t been any reported cyber-related incidents with medical devices thus far, the FDA may eventually be forced to take into account not only devices already on the market, but how partners and suppliers are protecting systems and data.