FDA Official on Medical Device Security

Bakul Patel Represents Agency on New Safety Workgroup
FDA Official on Medical Device Security

As web-enabled medical devices increasingly face cybersecurity threats, federal regulators are evaluating how the government, healthcare organizations and device manufacturers can best address those risks.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

Among efforts under way to investigate medical device safety issues is the Food and Drug Administration's participation in a new workgroup (see: Advisers Tackle Health IT Safety Issues).

The newly formed Food and Drug Administration Safety Innovation Act Workgroup is advising the HIT Policy Committee of the Office of the National Coordinator for Health IT on safety issues. ONC is working with the FDA and the Federal Communications Commission to develop recommendations for a risk-based regulatory framework for health IT.

Last week, the FDA, FCC and ONC jointly issued in the Federal Register a request for comments on factors the agencies should consider as they develop "a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework for health IT, including mobile medical applications, that promotes innovation, protects patient safety and avoids regulatory duplication."

In addition to that work, the FDA has other guidance available for healthcare providers and device manufacturers to address security risks to medical devices, says Bakul Patel, senior policy adviser to the director of the Center for Devices and Radiological Health at the FDA. Patel represents the agency on the new workgroup advising ONC.

"We continue to review our policies and guidance to make sure they are timely and provide necessary clarity to manufacturers and health care providers," Patel says.

In a e-mail interview with HealthcareInfoSecurity, he also confirms the FDA is evaluating how it reviews cybersecurity vulnerabilities and risks in medical devices. The complete text of that interview follows:

Top Security Concerns

Marianne Kolbasuk McGee: What are the biggest cybersecurity concerns involving medical devices?

Bakul Patel: Most electronic devices and networks are subject to different types of cybersecurity vulnerabilities, including medical devices. The type, complexity and risk profiles of medical devices vary greatly, as do the nature of the vulnerabilities.

For instance, we are aware that researchers have been able to demonstrate vulnerabilities that can disrupt infusion pumps. Other areas of vulnerability include wireless interference from other devices, computer viruses and degradation of reception that could impact the clinical performance and responsiveness of medical devices introduced by off - the - shelf software or upgrades and patches conducted over the Internet.

McGee: What kinds of medical devices are at greatest risk?

Patel: The security of medical devices is a growing public health concern. Because of the wide variety of medical devices available, the impacts of certain vulnerabilities - such as information that could be retrieved or the level of impact on a device's disruption- vary greatly.

We have no indication that any specific device or device type is at greater risk.

Mitigating Risks

McGee: What can healthcare providers do to identify and mitigate those security threats?

Patel: The benefits of using medical devices outweigh the current risks posed by potential cybersecurity vulnerabilities.

The FDA has provided information for healthcare facilities on mitigating security threats. That includes the following:

Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with medical device software/firmware, including risks related to security and are responsible for putting appropriate mitigations in place to address patient safety. We continue to review our polices and guidance to make sure they are timely and provide necessary clarity to manufacturers and health care providers.

Guidance for Manufacturers

McGee: What can medical device makers do to better protect their products against malware, hackers, and other cyberthreats?

Patel: We published a guidance for the industry: Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off - the - Shelf (OTS) Software

We also have several guidance documents on software:

Recognizing that cybersecurity is a shared risk environment that involves more than just medical device manufacturers, the ANSI/AAMI/IEC 80001 standard addressed the cybersecurity issues related to the integration of medical devices and information technology systems. The FDA contributed to the recently published 80001 global standard and has helped design the security annex to it as well as technical reports on the application of the standard. We also continue to explore cybersecurity practices in other industry sectors and how it might be usable in the medical device industry.

Patient Protections

McGee: Is there anything that patients who use mobile or web-enabled medical devices can do to protect themselves against cybersecurity threats?

Patel: It's very important to remember that the benefits of using their medical device outweigh the current risks posed by cybersecurity vulnerabilities. The FDA has not seen a trend in adverse event reports that would indicate widespread, active problems but is aware that cybersecurity vulnerabilities exist.

Patients should take similar precautions to protect their mobile or web-enabled medical devices as they would for other consumer products. This includes making sure that your computerized equipment is virus-free and that you have adequate and updated anti-virus software.

FDA Action

McGee: What programs/plans are there at FDA to help address these issues?

Patel: To help manufacturers of medical devices protect the safety and effectiveness of their products as technology evolves, the FDA is constantly looking at ways to help address potential vulnerabilities and other cybersecurity risks during our review of new devices as well as in our surveillance of devices already on the market and in use. We are:

  • Conducting an evaluation of how we review medical device software, including review of cybersecurity vulnerabilities and risks in medical devices;
  • Working with standard development organizations in developing international standards related to the integration of medical devices and information technology systems, focusing on the shared risk of both the manufacturers and the users of the device; and
  • Strengthening our ability to detect medical device performance and safety issues as they occur using our post-market surveillance programs.

McGee: How might the new Food and Drug Administration Safety Innovation Act Workgroup that's advising the HIT Policy Committee address medical device security issues that could pose safety risks to patients?

Patel: The FDASIA workgroup is identifying the overall issues that a potential a regulatory framework for health IT could include, including cybersecurity.

For more from HealthcareInfoSecurity on medical device security, also see:


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.