Understanding the FDA Cybersecurity Go-Team
The sheer amount of regulated medical devices means that there are likely to be serious implications of a cybersecurity attack. This is especially true for connected devices, including Class III implantable devices that connect to the internet and transmit patient information. According to the Wall Street Journal article, “Some of the industry’s challenges, such as the need to regularly update equipment that is used in the field for years on end, may be of interest more broadly… Medical devices present acute cybersecurity challenges because the machines and equipment can have a lifespan of up to 20 years and health-care providers often lack the funding and personnel to update them.”
The CyberMed Safety Analysis Board will be comprised of experts in hardware, networking and biomedical engineering and will “assess vulnerabilities, adjudicate disputes and investigate security problems.” The FDA says it proposed funding for the board in its 2019 budget, which starts Oct 1.
Where is this new concern for medical device security coming from? One answer is that it could possibly stem from the 2017 WannaCry attack that impacted hospitals in England. The cyberattack not only cost companies nearly $4 billion, but according to a Reuters article it also “knocked hospitals offline, forced thousands of patients to reschedule appointments and disrupted infrastructure and businesses around the world.” According to a report from the U.K.’s National Audit Office, some had to resort to pen and paper while their systems were offline.
The FDA’s The Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health will also focus on the following areas:
- Establish a robust medical device patient safety net in the United States
- Explore regulatory options to streamline and modernize timely implementation of post-market mitigations
- Spur innovation towards safer medical devices
- Advance medical device cybersecurity
- Integrate the Center for Devices and Radiological Health’s (CDRH’s) premarket and post-market offices and activities to advance the use of a TPLC approach to device safety
The concerns of the medical device cybersecurity world continue to evolve and grow, but there are certain steps that organizations can work towards in order to become more secure and safe. Join us at the 3rd Annual Medical Device Cybersecurity Risk Mitigation Conference in Arlington, VA on July 16-17 as we explore the unique challenges facing device cybersecurity professionals, while focusing on strategic risk mitigation and ongoing product safety. Click here to reserve your spot today!