Eliminating Misconceptions of CybersecurityWhat the FDA Actually Says About Medical Device Cybersecurity
Eliminating Misconceptions of Cybersecurity
What the FDA Actually Says About Medical Device Cybersecurity
Medical devices, like other computer systems, can be vulnerable to security breaches- potentially impacting the safety and effectiveness of the device. As medical devices are increasingly connected to the Internet, hospital networks, and to other medical devices, this vulnerability becomes more prevalent. With cybersecurity breaches becoming more and more publicized, the concern around medical device cybersecurity has become more mainstream than ever.
“In the past, government regulators were not very vocal about their concerns around data security in devices. That has changed significantly over the last 18 months.” Mike Kijewski, CEO of MedCrypt explained to Q1 Productions. “Device vendors need to have a well-articulated and executed security strategy to ensure that products in their development pipelines will make it to market without regulatory problems.”
All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. So what exactly does that mean? The FDA post-market final guidance was released in December, and since then they have published resources to dispel myths about cybersecurity. Here are five common myths and misconceptions the FDA wants you to know about.
Myth: The FDA is the only federal government agency responsible for the cybersecurity of medical devices
What the FDA says: “The FDA works closely with several federal government agencies including the U.S. Department of Homeland Security (DHS), members of the private sector, medical device manufacturers, health care delivery organizations, security researchers, and end users to increase the security of the U.S. critical cyber infrastructure.”
Myth: Cybersecurity for medical devices is optional
Myth: Health care Delivery Organizations (HDOs) can’t update and patch medical devices for cybersecurity
Myth: The FDA is responsible for the validation of software changes made to address cybersecurity vulnerabilities
Myth: The FDA tests medical devices for cybersecurity
Myth: Companies that manufacture off-the-shelf (OTS) software used in medical devices are responsible for validating its secure use in medical devices
To discuss other cybersecurity concerns, Q1 Productions is hosting the 2nd Annual Medical Device Cybersecurity Risk Mitigation Conference on July 17-18 in Arlington, Virginia. There will be regulator perspectives (FDA), security organizations (ISAO, NH-ISAC), and industry leaders coming together to provide insights on the evolving space of medical device cybersecurity. It will be a very interactive conference with solo presentations, co-presentations, fireside chats, panels, and open discussions.