The U.S. Food and Drug Administration (FDA) is moving aggressively in the month of October to continue to raise concerns about cybersecurity risks to medical devices, with three recent updates. The FDA just released new draft guidance on these risks, indicating that it will eventually supersede the cybersecurity guidance issued in 2014. The guidance states that "FDA recognizes that medical device security is a shared responsibility among stakeholders, including health care facilities, patients, health care providers, and manufacturers of medical devices. Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) authenticity, availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death."
On Oct. 16, 2018, the FDA and U.S. Department of Homeland Security (DHS) also announced a new memorandum of agreement (MOU) focusing efforts to implement "greater coordination and cooperation between the two agencies for addressing cybersecurity in medical devices." MOU defines the roles between the FDA and DHS—specifically between the FDA's Center for Devices and Radiological Health and DHS' Office of Cybersecurity and Communication—stating that "such collaboration can lead to more timely and better responses to potential threats to patient safety." The DHS National Cybersecurity and Communications Integration Center (NCCIC) will continue to serve as the "central medical device vulnerability coordination center" while also communicating with the FDA to address systemic cybersecurity risks and vulnerabilities.
On Oct. 1, 2018, FDA Administrator Gottleib announced a new Medical Device Cybersecurity Playbook stating that "the threat of cyber-attacks is no longer theoretical." As we discussed in a prior blog post, Congress, FDA and the Administration have continued to express concerns over cyber risks to the medical device industry. As a reminder, the first FDA recall due to cybersecurity risks to medical devices was in 2017, but over the course of the last five years, the FDA has taken numerous steps to highlight and raise cybersecurity concerns to the health and medical device sector. FDA has also moved forward to ensure that cyber risks to medical devices are appropriately shared with consumers and it is expected it will continue to push out guidance on these matters.