The Food and Drug Administration last week released long-awaited recommendations aimed at better managing cybersecurity risks to protect patient health and information. The new recommendations are included in the final release of a document titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”
The new standards recommend manufacturers take into account cybersecurity risks as part of the design and development of a medical device. They require device makers to submit documentation to the FDA about identified risks and existing controls to mitigate those risks.
They also recommend manufacturers submit their plans for providing patches and updates to operating systems and medical software.
However, these new guidelines will not change the existing approval process or the time line for device approval, said the FDA.
“This final guidance explains that manufacturers should consider cybersecurity risks in the device risk analysis that is required as part of design controls,” FDA spokesperson Jennifer Rodriguez told TechNewsWorld. “It also identifies the type of information that should be included in the premarket submission.”
Building In Controls
The FDA’s concerns about cybersecurity vulnerabilities include malware infections on network-connected medical devices or computers, smartphones and tablets used to access patient data. The concerns also focus on some of the same factors in consumer and enterprise computing practices.
The guidelines caution against unsecured or uncontrolled distribution of passwords, as well as failure to provide timely security software updates and patches to medical devices and networks. They also address security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, a medical doctor who is the director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
The FDA’s proactive steps to secure the infrastructure and products produced by medical device and pharmaceutical manufacturers are a good start, but the plan is still a long way from adequate to protect patients and their information, warned Stephen Coty, chief security evangelist at Alert Logic.
There’s been a shift in the attack vector in the healthcare field, however. In 2013, healthcare accounted for more lost and stolen data than any other industry. However, this year, that dynamic has changed, he noted.
“We are seeing less attacks for patient information and more attacks against the technology that supports the healthcare industry. We have seen attacks against Phizer, medtronics and GSK to name a few. I feel that although the FDA is setting guidelines, it may not be a successful strategy,” Coty told TechNewsWorld.
Hardened Devices No Cure
Devices and technologies in most healthcare facilities are implemented and monitored through networks that the healthcare facilities’ IT teams manage — yet security teams that monitor and respond to security incidents are very few, according to Coty.
“The healthcare facility will still be vulnerable, even with hardened medical devices. The hackers these days are very well-funded and are able to buy the products of companies and reverse- engineer them to find a vulnerability that they can exploit,” he said.
Instead, it is the healthcare facilities that need to be held to a higher security standard, recommended Coty.
Medical device manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their products, including risks related to cybersecurity. They also are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance, according to Rodriguez.
“For sure, this is a positive development. Anything that device manufacturers and software engineers can do to build in security from the start is a good thing,” said Tunnel X cofounder and CTO Steve Schneider.
“The alternative is to duct-tape it onto your device or app at the end of the process. That is an approach to be avoided whenever possible, because the results are often disastrous,” he told TechNewsWorld.
The FDA’s recommendations include that device makers provide a justification of the security functions chosen for their medical devices, noted the FDA’s Rodriguez, along with a list of cybersecurity risks considered in the medical device’s design.