Although the FDA has only recently begun addressing medical device cybersecurity in an official capacity, device makers would do well to take notice that the agency has ramped up its oversight quickly over the last year.
Following last year’s issuance of formal guidance and the establishment of the FDA’s "cybersecurity laboratory," the agency is poised to start evaluating digital defenses in new medical devices. That means security-based rejections are on the way.
"Within the year, I would guess that we’re going to start seeing devices turned away from the FDA and not getting 510(k) clearance or [pre-market approval] because they have not taken cybersecurity concerns from the beginning and integrated that to the process appropriately," Battelle engineering manager Melissa Masters told MassDevice.com. "It’s going to be unfortunate, because I also think that a lot of companies don’t have this expertise within their organizations already."
Federal watchdogs have been working with industry groups to establish more detailed standards, meaning higher-level guidance is likely on the horizon, Masters said. That means the agency will have solid ground to send device makers back to the drawing board if they can’t demonstrate compliance with cybersecurity expectations.
"What happens if my device is unavailable? What happens if the data is corrupted on my device? Is it an issue or is it okay?" Masters said. "My guess is that if [regulators] don’t see that kind of thinking in your risk-analysis process, they’re going to say, ‘Go back and address these things. You have 2 weeks to figure it out, and come back to us.’"
That will likely mean companies need to be prepared to provide documentation on their cybersecurity efforts, but it may also mean device makers should prepare to subject their devices to deliberate cybersecurity attacks in the FDA’s new "fuzz testing" labs. The agency’s new ‘cybersecurity laboratory’ will be outfitted with hack-testing programs from security group Codenomicon Defensics, which will probe new devices for defects or vulnerabilities that could leave a system open to attack.
Not many companies have been openly discussing their security efforts or tactics (although industry titan Medtronic (NYSE:MDT) has promised in the past to treat cybersecurity as a high priority), but that doesn’t mean companies aren’t taking action.
A handful of security researchers have publicly revealed their work on medical devices and the updates and improvements that followed, but not many device makers have been openly willing to work with researchers or open up about their security (or infamous lack thereof).
Companies may be shy about their security programs, but Masters says that Battelle has long-term relationships with device makers and that others are becoming more receptive in the aftermath of last year’s FDA guidance.
"Everyone has seen the guidance document and, if they’ve been around for a while, they know what that means," Masters said. "They know that in a year and or so, the FDA is going to start really looking through your filing and ensuring that you’ve done [security testing]."
The key to complying with the new requirements is to think about cybersecurity in the early stages of development, Masters added.
"To make sure that you’ve created a device that ensures confidentiality, the integrity of the data that’s stored on the device, and that the device is going to be available when you need it to be available, you need to design that in from the start, on the requirements process from architecture, and then they have to stream through all the way through design, and then you verify at the end," she told us. "If you try to shoehorn that in at the end, I think you’ll be late and it’ll be a little bit problematic. You might have some issues."