By Suzanne Schwartz, M.D., M.B.A.
Cyber vulnerabilities – bugs or loopholes in software codes or other unintentional access points – are a real and constant threat to our networked laptops, mobile phones, or tablets. The Heartbleed virus and security breaches at major retailers are just a few recent examples of exploits of this hazard that have been in the news.
What you may not know is that there is a coordinated network of cybersecurity researchers, software engineers, manufacturers, government staffers, information security specialists, and others who share the responsibility of discovering and closing these security gaps. As a result, many vulnerabilities are detected and fixed before they seriously affect the public.
Medical devices that contain computer hardware or software or that connect to computer networks are subject to the same types of cyber vulnerabilities as consumer devices. The consequences of medical device breaches include impairing patient safety, care, and privacy. And as in the case of consumer devices, strengthening the cybersecurity of medical devices requires collaboration and coordination among many stakeholders, as well as a shared sense of responsibility for reducing the cybersecurity vulnerabilities.
This is why on October 21-22, 2014 the FDA, the Department of Homeland Security (DHS), and the Department of Health and Human Services (DHHS) will host a public meeting, Collaborative Approaches for Medical Device and Healthcare Cybersecurity. The purpose of the meeting is to catalyze collaboration in the health care and public health sector to more fully address medical device cybersecurity. The meeting will bring together medical device manufacturers; health care providers; biomedical engineers; IT system administrators; professional and trade organizations; insurance providers; cybersecurity researchers; local, state and federal government staffs; and representatives of information security firms. They will explore topics such as:
- The current state of medical device cybersecurity and cyber threats in the healthcare and public health sector,
- Cybersecurity gaps and challenges,
- Adapting and implementing the National Institute of Standards and Technologies cybersecurity framework in the health care and public health sector,
- Tools and standards for medical device cybersecurity,
- Leveraging the technical expertise of cybersecurity researchers, and
- Collaborative models for information sharing and a shared risk-assessment framework.
The cybersecurity of medical devices is an important part of public health safety, and the FDA has a significant role. In addition to convening this meeting, the FDA entered into a partnership with the National Health – Information Sharing and Analysis Center (NH-ISAC), a non-profit organization that closely cooperates with government agencies, and numerous health care and public health organizations. The partnership will enable FDA and NH-ISAC to share information about medical device cybersecurity vulnerabilities and threats. It will foster the development of a shared risk framework where information about medical device vulnerabilities and fixes is quickly shared among health care and public health stakeholders.
In addition, on October 1 the FDA released a final guidance for the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The guidance recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. We think this will help improve the cybersecurity of medical devices and help contribute to the strengthening of our Nation’s health care cybersecurity infrastructure.
The FDA shares the responsibility of managing and reducing cybersecurity risks with many other stakeholders, and we look forward to hearing from them at the public meeting on October 21-22. We’re committed to working together to build a comprehensive cybersecurity infrastructure that can detect and respond to vulnerabilities in a timely way and that best protects the public health.
Suzanne B. Schwartz, M.D., M.B.A., is Director of Emergency Preparedness/Operations & Medical Countermeasures (EMCM) at FDA’s Center for Devices and Radiological Health.