FDA won’t do that: Cybersecurity edition

Speaking this week during an HIMMS 2017 education session, Carmody warned that the clinical environment “represents a large attack surface for national security today,” as reported by Healthcare Informatics.  He also said that if medtech continues to focus only on intended use, they are creating an underbelly of security vulnerability that will need collaborative measures between manufacturers, providers, and regulators.

Carmody gave industry and healthcare providers some straight talk, a fact-vs-myth discussion, clarifying FDA’s role in medtech cybersecurity.  Some key points:

  1. FDA is not solely responsible for medtech security.
  2. FDA does not need to approve (or clear) issue updates or cybersecurity fixes.
  3. FDA will not test devices for cybersecurity vulnerabilities.
  4. Healthcare organizations can (and should) issue patches or updates for cybersecurity reasons.

Many of these statements have been made by FDA before. FDA clarified these ideas with the release of Postmarket Management of Cybersecurity in Medical Devices in December 2016.

Suzanne B. Schwartz, FDA’s Associate Director for Science and Strategic Partnerships, at CDRH has offered additional advice via her blog on the topic, as follows:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices.
  • Understand, assess and detect the level of risk a vulnerability poses to patient safety.
  • Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”).
  • Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm.

Schwartz also noted that this is not the end of FDA’s efforts, merely a beginning step in addressing cybersecurity.  “We will continue to work with all medical device cybersecurity stakeholders to monitor, identify and address threats, and intend to adjust our guidance or issue new guidance, as needed.”

REFERENCE: Medical Design and Outsourcing; 22 FEB 2017; Heather Thompson

Leave a Comment