The FDA is asking medical device manufacturers to submit documentation about cybersecurity controls they have in place to mitigate the threat of hackers accessing devices, including ongoing software patches and updates to operating systems.
The FDA issued the recommendations in a document to be released in full Thursday titled "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," after having released a draft version last June. On Tuesday, the agency stated it found no indication that specific devices or systems have been purposely targeted by hackers, but remains concerned about device-related cybersecurity vulnerabilities.
"There is no such thing as a threat-proof medical device," Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, said in prepared remarks. "It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks."
The FDA scheduled a public workshop Oct. 21-22 to discuss how government, medical device developers, hospitals, cybersecurity professionals, and other stakeholders can collaborate to improve the cybersecurity of medical devices and protect the public health. Last year the watchdog agency said it would put together a “cybersecurity laboratory” to test new medical products.
The FDA’s concerns about cybersecurity vulnerabilities include:
- Malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data;
- Unsecured or uncontrolled distribution of passwords;
- Failure to provide timely security software updates and patches to medical devices and networks;
- Security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network.