Eliminating Misconceptions of Cybersecurity

What the FDA Actually Says About Medical Device Cybersecurity

Medical devices, like other computer systems, can be vulnerable to security breaches- potentially impacting the safety and effectiveness of the device. As medical devices are increasingly connected to the Internet, hospital networks, and to other medical devices, this vulnerability becomes more prevalent. With cybersecurity breaches becoming more and more publicized, the concern around medical device cybersecurity has become more mainstream than ever.

“In the past, government regulators were not very vocal about their concerns around data security in devices. That has changed significantly over the last 18 months.” Mike Kijewski, CEO of MedCrypt explained to Q1 Productions. “Device vendors need to have a well-articulated and executed security strategy to ensure that products in their development pipelines will make it to market without regulatory problems.”

All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. So what exactly does that mean? The FDA post-market final guidance was released in December, and since then they have published resources to dispel myths about cybersecurity. Here are five common myths and misconceptions the FDA wants you to know about.

Myth: The FDA is the only federal government agency responsible for the cybersecurity of medical devices.

What the FDA says: “The FDA works closely with several federal government agencies including the U.S. Department of Homeland Security (DHS), members of the private sector, medical device manufacturers, health care delivery organizations, security researchers, and end users to increase the security of the U.S. critical cyber infrastructure.”

Myth: Cybersecurity for medical devices is optional.

What the FDA says: “Medical device manufacturers must comply with federal regulations. Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address all risks, including cybersecurity risk. The pre- and post- market cybersecurity guidances provide recommendations for meeting QSRs.”

Myth: Health care Delivery Organizations (HDOs) can’t update and patch medical devices for cybersecurity.

What the FDA says: “The FDA recognizes that HDOs are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.”

Myth: The FDA tests medical devices for cybersecurity.

What the FDA says: “The FDA does not conduct premarket testing for medical products. Testing is the responsibility of the medical product manufacturer.”

Myth: Companies that manufacture off-the-shelf (OTS) software used in medical devices are responsible for validating its secure use in medical devices.

What the FDA says: “The medical device manufacturer chooses to use OTS software, thus bearing responsibility for the security as well as the safe and effective performance of the medical device.”

To discuss other cybersecurity concerns, Q1 Productions is hosting the 2nd Annual Medical Device Cybersecurity Risk Mitigation Conference on July 17-18 in Arlington, Virginia.  There will be regulator perspectives (FDA), security organizations (ISAO, NH-ISAC), and industry leaders coming together to provide insights on the evolving space of medical device cybersecurity. It will be a very interactive conference with solo presentations, co-presentations, fireside chats, panels, and open discussions.