TRENDING:

Governance & Risk Management

FDA Official: More Medical Device Vulnerability Discoveries Are Likely

New Cybersecurity Guidance for Device Manufacturers Coming Soon Marianne Kolbasuk McGee (HealthInfoSec) • September 3, 2015     10 Minutes   
FDA Official: More Medical Device Vulnerability Discoveries Are Likely
FDA's Suzanne Schwartz, M.D.

The Food and Drug Administration expects more medical device security vulnerabilities to come to light in the year ahead as a result of improved awareness of cybersecurity issues, says Suzanne Schwartz, M.D., a senior FDA official. And the agency will soon issue more guidance for medical device manufacturers addressing the cybersecurity of their products already in use, she says.

"We would expect that many more vulnerabilities will come to light because as you raise awareness of an issue and people are paying attention to it, there will be more vulnerabilities found and identified," she says in an exclusive interview with Information Security Media Group. Her comments came after her Sept. 2 presentation at an annual HIPAA security conference in Washington, D.C., hosted by the National Institute of Standards and Technology and the Department of Health and Human Services.

"We would also anticipate that with the steps that we have been taking, and with the approach with collaboration [among stakeholders in the healthcare sector], there will be a more proactive posture in dealing with medical device cybersecurity. So the emphasis on vulnerability management ... and coordinated vulnerability disclosure is an area where we expect to see progress in the next 12 months," Schwartz adds.

Helping to build that awareness are various collaborative efforts underway in the healthcare sector, including the FDA working with the National Institute of Standards and Technology to adapt the NIST security framework for use with medical devices, as well as guidance that the FDA issued last year urging medical device makers to build cybersecurity into their design and life cycles of their products, Schwartz notes.

New Guidance in the Works

More FDA guidance for medical device makers is on the way, hopefully by the end of this year, she says. "We are working on articulating our policies in respect to post-market expectations for medical device makers" to address cyber vulnerabilities discovered after their products are already being used by healthcare providers, Schwartz says.

Despite the vulnerabilities in medical devices uncovered by independent researchers - including flaws spotlighted in a recent FDA alert about certain infusion pumps from manufacturer Hospira - it's critical to note that so far, the FDA has not received reports of patients actually being harmed by cyber-attacks on devices, Schwartz stresses.

"It's important to emphasize that to date, FDA have never received [a report of], and is unaware of any actual exploit of a medical device that has happened in use or in a clinical environment," she says. "The demonstrations of such capabilities have been done in a controlled laboratory setting."

In the interview, Schwartz also discusses:

  • Why collaboration among independent researchers, who look for cyber vulnerabilities, and medical device manufacturers is important;
  • Why some medical device makers become defensive when they are informed about cyber vulnerabilities discovered by independent researchers;
  • Progress that the FDA is seeing in the cybersecurity of medical devices.

As director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health, Schwartz represents the FDA across several inter-agency initiatives and integrated program teams on chemical, biological, radiological and nuclear threats, natural disasters and emerging infectious diseases. She also serves as co-chair of the Government Coordinating Council for the Healthcare and Public Health Sector. Her efforts in this role are mainly focused on strategic engagement of sector stakeholders to strengthen cybersecurity for critical infrastructure. Before joining the FDA, Schwartz served on the general surgical faculty at the Weill Cornell Medical Center in New York.

Previous
Incident Response: Lessons Government Can Learn from Industry
Next
How Hackers Are Bypassing Intrusion Detection



Around the Network

Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.