FDA looks to strengthen medical device cybersecurity program – with help of device manufacturers

The FDA has released a statement discussing its efforts to strengthen the agency’s medical device cybersecurity program as part of its mission to protect patients.

The statement from FDA commissioner Scott Gottlieb, highlighted the FDA’s efforts to combat the threats of targeted malicious cyber campaigns and stressed that numerous industries are now subject to a continuous risk of cybersecurity attacks.

Gottlieb said, “Victims include financial institutions, government agencies, and now health care systems. Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted.”

Gottlieb continued, “The FDA isn’t aware of any reports of an unauthorised user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient. But the risk of such an attack persists.”

“We want to assure patients and providers that the FDA is working hard to be prepared and responsive when medical device cyber vulnerabilities are identified.”

The FDA are pursuing a program that ensures ‘shared responsibility’ between key stakeholders and the FDA. This relies on the launch of a ‘cyber security playbook’ from the FDA that is aimed at promoting cyber security readiness amongst health care delivery organisations.

Since the statement was issued, the FDA and Department of Homeland Security (DHS) have penned a memorandum of understanding aimed at increasing collaboration between the two agencies in an effort to improve medical device cybersecurity.

The Administration have expressed their belief in a culture of shared responsibility between healthcare stakeholders and the FDA in ensuring a continued vigilance against potential cyber security threats.

The FDA’s premarket guidance issued in 2014 advised device manufacturers that the best time to protect devices against potential cybersecurity vulnerabilities is during the design and development stages of the product.

Medical devices are part of a continuingly evolving sector and in order to keep pace with the changing landscape, the FDA has announced plans to release an updated version of its premarket guidance.

This updated guidance is expected to recommend manufactures include a ‘cybersecurity bill of materials’ which will entail a list of software and hardware components used in a device that could be susceptible to vulnerabilities.

The full FDA announcement can be read here