Understanding the FDA Cybersecurity Go-Team

The U.S. Food and Drug Administration (FDA) recently unveiled the Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health, a comprehensive plan with the goal of assessing processes and procedures in order to enhance medical device security in an ever-evolving technological landscape. Medical device cybersecurity, while a relatively new area of concern, is an important undertaking. Cybersecurity is a growing concern in the world of medical devices, and for good reason—according to a recent report, the FDA “regulates over 190,000 different devices, which are manufactured by more than 18,000 firms in more than 21,000 medical device facilities worldwide.”
The Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health outlines several areas it will focus on, however, the area that zeroes in on cybersecurity, says its goal is, “to advance medical device cybersecurity.” Under this point, the FDA plans to introduce the CyberMed Safety Analysis Board, which is being hailed as a “Cybersecurity Go-Team” by the Wall Street Journal. This group will be prepared for medical device cybersecurity threats and investigate security breaches for those 19,000 medical devices in the marketplace.

The sheer amount of regulated medical devices means that there are likely to be serious implications of a cybersecurity attack. This is especially true for connected devices, including Class III implantable devices that connect to the internet and transmit patient information. According to the Wall Street Journal article, “Some of the industry’s challenges, such as the need to regularly update equipment that is used in the field for years on end, may be of interest more broadly… Medical devices present acute cybersecurity challenges because the machines and equipment can have a lifespan of up to 20 years and health-care providers often lack the funding and personnel to update them.”

The CyberMed Safety Analysis Board will be comprised of experts in hardware, networking and biomedical engineering and will “assess vulnerabilities, adjudicate disputes and investigate security problems.” The FDA says it proposed funding for the board in its 2019 budget, which starts Oct 1.

Where is this new concern for medical device security coming from? One answer is that it could possibly stem from the 2017 WannaCry attack that impacted hospitals in England. The cyberattack not only cost companies nearly $4 billion, but according to a Reuters article it also “knocked hospitals offline, forced thousands of patients to reschedule appointments and disrupted infrastructure and businesses around the world.” According to a report from the U.K.’s National Audit Office, some had to resort to pen and paper while their systems were offline.

The FDA’s The Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health will also focus on the following areas:

  1. Establish a robust medical device patient safety net in the United States
  2. Explore regulatory options to streamline and modernize timely implementation of post-market mitigations
  3. Spur innovation towards safer medical devices
  4. Advance medical device cybersecurity
  5. Integrate the Center for Devices and Radiological Health’s (CDRH’s) premarket and post-market offices and activities to advance the use of a TPLC approach to device safety

The concerns of the medical device cybersecurity world continue to evolve and grow, but there are certain steps that organizations can work towards in order to become more secure and safe. Join us at the 3rd Annual Medical Device Cybersecurity Risk Mitigation Conference in Arlington, VA on July 16-17 as we explore the unique challenges facing device cybersecurity professionals, while focusing on strategic risk mitigation and ongoing product safety. Click here to reserve your spot today!