The FDA is ready to take a closer look at medical device cyber-safety, asking companies to provide details on anti-virus protection and other elements of digital security for new healthcare technologies. In light of a growing concern over incidents in which compromised security has exposed or disabled medical devices, the agency hopes to "reduce the risk of failure due to cyber-attack."
The FDA ordered medical device makers to remain "vigilant" about cybersecurity risks and mitigation efforts, noting that "cybersecurity incidents are increasingly likely." The agency stopped short of recommending any particular security actions or standards, asking instead that companies simply document their efforts and submit them for review.
The brief guidance and FDA commentary issue come as little surprise and aren’t likely to make waves in the industry, AdvaMed technology & regulatory affairs director Bernie Liebler told MassDevice.com in an interview today.
"I think it’s something that both parties have been thinking about and been aware of for a while," Liebler told us. "This is not a bolt from the blue for the industry."
Liebler added that cybersecurity risk mitigation is just 1 piece of the medtech risk assessment process, and that it’s been there for some time, especially as medical devices, as with other technologies, have become more "cyber-dependent." As for what type of risk a cybersecurity threat may present to a medical device, generalizations are hard to make.
"Risk is a combination of the probabilities of something occurring and the severity or the harm that would occur when it happens," Liebler said. "If something could happen fairly frequently but it is basically innocuous, it’s a low concern; if something happens rarely but it’s extremely serious in consequence, then it’s got a very high priority."
That may explain why the FDA refrained from making any specific demands of medical device manufacturers in terms of their security standards.
"Failure to maintain cybersecurity can result in compromised device functionality, loss of data availability or integrity, or exposure of other connected devices or networks to security threats," according to the FDA. "These, in turn, have the potential to result in patient illness, injury, or death."
How to mitigate those potential threats remains up to the manufacturer, with the FDA asking only that companies provide records demonstrating that they’ve noted risks, assessed them and taken steps to protect the devices.
Medical device industry lobbying group AdvaMed issued a formal statement on the FDA’s proposed rule, further noting that medtech companies are aware of the security issue and that they’re working on ways to ensure that devices aren’t compromised.
"Our industry provides many life-saving or life-enhancing devices. So, it is important for both the manufacturers and the users of these devices to be aware of the potential for cybersecurity breaches," AdvaMed technology and regulatory affairs senior vice president Janet Trunzo said in prepared remarks. "Patient safety is the number one priority of the medical technology industry, and manufacturers have in place numerous safeguards to ensure the security and integrity of their devices."
Trunzo emphasized that there have been, to date, no reported incidents of "patient harm as the result of either inadvertent or intentional cyber security breaches," but that the industry understands the FDA’s "desire to be cautious in this area."
Although there have been no reports of patient injury as a result of malicious hacking, viruses and malware have already caused trouble in hospital-based machines and security researchers are making noise about the weak security protocols in medical technologies.
Hacking-related incidents represented about 6% of all reported healthcare data breaches from 2009 to January 2013, and that figure is projected to grow, according to an audit released earlier this year by technology security firm Redspin, which called the lull in healthcare hacking thus far the "calm before the storm."
The FDA asked that medical device makers document and submit their cybersecurity efforts when requesting agency review of new medical devices. Those reports would include, among other things, a "specific list" of all risks that were taken into consideration, a "traceability matrix" that links the risks to mitigation efforts and a systematic plan for providing updates and patches to ensure up-to-date protection, the agency suggested.
"The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity," according to the agency’s communication.
The federal watchdog agency suggested that medical device makers consider cybersecurity threats during the design phase of new devices in order to "result in more robust and efficient mitigation" of threats. The FDA asked that manufacturers define and document several elements of the security equation, including:
- Identification of assets, threats, and vulnerabilities;
- Impact assessment of the threats and vulnerabilities on device functionality;
- Assessment of the likelihood of a threat and of a vulnerability being exploited;
- Determination of risk levels and suitable mitigation strategies;
- Residual risk assessment and risk acceptance criteria.
The agency recognized that the security needs of individual devices may vary depending on how it communicates with other devices, the possible outcome of a breach and the environment in which it’s used. The FDA further noted the necessary balance that manufacturers must strike between usability and security.
"For example, security controls should not hinder access to the device during an emergency situation," the FDA said. "Similarly, manufacturers should consider how security features may interfere with the ability of healthcare providers to administer the necessary care."
Trunzo noted that medical device makers are already reviewing their cybersecurity initiatives, including by building security into new products, running vulnerability testing and conducting risk assessments.
"The ubiquity of digital technologies offers patients significant benefits, and the risk of a malicious cyber-attack is low when compared to these benefits," Trunzo said in a prepared statement."At the same time, manufacturers recognize the need for increased security with these devices."
She added that the industry is ready to work with the FDA, security experts and other stakeholders to explore how best to protect medical devices.