FDA finalizes cybersecurity recs for medical devices
- The FDA has released final guidance outlining medical devicemakers should monitor, identify and address cybersecurity issues after products enter the marketplace.
- A risk-based scheme clarifies when modifications to address cybersecurity vulnerabilities must be reported to the FDA and circumstances that don’t require reporting.
- The guidance comes amid concerns about threats to patient privacy and safety as increasing numbers of devices are networked with one another.
This past fall, St. Jude Medical recalled certain models of its Fortify, Unify and Assura ICDs and CRT-Ds due to reports of premature battery depletion. The recalls followed reports by Muddy Waters and MedSec — denied by St. Jude—that the devices were vulnerable to hacking.
Around the same time, cybersecurity research firm Rapid7 identified security flaws in Animas’ OneTouch Ping insulin pump. The flaws could allow unauthorized access to the remote blood glucose monitor, which uses an unencrypted radiofrequency communication system.
Efforts to increase cybersecurity took off in 2013, when President Barack Obama issued an executive order and policy directive calling for a public-private effort to strengthen the cybersecurity infrastructure. The following year, the FDA issued final guidance on cybersecurity considerations during the design stage of device development.
But a recent report by ABI Research found cybersecurity investment in medical devices remains low, at about $390 million out of a total of $5.5 billion projected for healthcare overall.
Manufacturers could feel more pressure going forward to beef up device cybersecurity. The FDA has made securing networked devices a top priority in 2017. Among the activities planned are studies to identify categories of software changes that could hamper a device’s safety and effectiveness and research on fine-tuning the standard IT vulnerabilities rating system for healthcare products and services.
The final guidance on postmarket management of device cybersecurity follows a draft version released last January. Manufacturing should develop a plan for identifying and managing vulnerabilities in software-driven devices during the premarket phase, including an assessment of risk levels and potential mitigation strategies. They should also have a coordinated disclosure policy for handling problems after a device is in the market.
The agency stressed that most cybersecurity problems can be managed with routine updates and patches, which don’t require reporting.