FDA Official on Medical Device Security
Bakul Patel Represents Agency on New Safety Workgroup
As web-enabled medical devices increasingly face cybersecurity threats, federal regulators are evaluating how the government, healthcare organizations and device manufacturers can best address those risks.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
Among efforts under way to investigate medical device safety issues is the Food and Drug Administration's participation in a new workgroup (see: Advisers Tackle Health IT Safety Issues).
The newly formed Food and Drug Administration Safety Innovation Act Workgroup is advising the HIT Policy Committee of the Office of the National Coordinator for Health IT on safety issues. ONC is working with the FDA and the Federal Communications Commission to develop recommendations for a risk-based regulatory framework for health IT.
Last week, the FDA, FCC and ONC jointly issued in the Federal Register a request for comments on factors the agencies should consider as they develop "a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework for health IT, including mobile medical applications, that promotes innovation, protects patient safety and avoids regulatory duplication."
In addition to that work, the FDA has other guidance available for healthcare providers and device manufacturers to address security risks to medical devices, says Bakul Patel, senior policy adviser to the director of the Center for Devices and Radiological Health at the FDA. Patel represents the agency on the new workgroup advising ONC.
"We continue to review our policies and guidance to make sure they are timely and provide necessary clarity to manufacturers and health care providers," Patel says.
In a e-mail interview with HealthcareInfoSecurity, he also confirms the FDA is evaluating how it reviews cybersecurity vulnerabilities and risks in medical devices. The complete text of that interview follows:
Top Security Concerns
Marianne Kolbasuk McGee: What are the biggest cybersecurity concerns involving medical devices?
Bakul Patel: Most electronic devices and networks are subject to different types of cybersecurity vulnerabilities, including medical devices. The type, complexity and risk profiles of medical devices vary greatly, as do the nature of the vulnerabilities.
For instance, we are aware that researchers have been able to demonstrate vulnerabilities that can disrupt infusion pumps. Other areas of vulnerability include wireless interference from other devices, computer viruses and degradation of reception that could impact the clinical performance and responsiveness of medical devices introduced by off - the - shelf software or upgrades and patches conducted over the Internet.
McGee: What kinds of medical devices are at greatest risk?
Patel: The security of medical devices is a growing public health concern. Because of the wide variety of medical devices available, the impacts of certain vulnerabilities - such as information that could be retrieved or the level of impact on a device's disruption- vary greatly.
We have no indication that any specific device or device type is at greater risk.
Mitigating Risks
McGee: What can healthcare providers do to identify and mitigate those security threats?
Patel: The benefits of using medical devices outweigh the current risks posed by potential cybersecurity vulnerabilities.
The FDA has provided information for healthcare facilities on mitigating security threats. That includes the following:
- Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off - the - Shelf (OTS) Software;
- Webinar: Cybersecurity of Medical Devices;
- Public Health Notification: Reminder from FDA: Cybersecurity for Networked Medical Devices is a Shared Responsibility.
Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with medical device software/firmware, including risks related to security and are responsible for putting appropriate mitigations in place to address patient safety. We continue to review our polices and guidance to make sure they are timely and provide necessary clarity to manufacturers and health care providers.
Guidance for Manufacturers
McGee: What can medical device makers do to better protect their products against malware, hackers, and other cyberthreats?
Patel: We published a guidance for the industry: Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off - the - Shelf (OTS) Software
We also have several guidance documents on software:
- General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Jan. 11, 2004;
- Guidance for Industry, FDA Reviewers and Compliance on Off - the - Shelf Software Use in Medical Devices, Sept. 9, 1999;
- Guidance for FDA Reviewers and Industry, Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices, May 29, 1998.
Recognizing that cybersecurity is a shared risk environment that involves more than just medical device manufacturers, the ANSI/AAMI/IEC 80001 standard addressed the cybersecurity issues related to the integration of medical devices and information technology systems. The FDA contributed to the recently published 80001 global standard and has helped design the security annex to it as well as technical reports on the application of the standard. We also continue to explore cybersecurity practices in other industry sectors and how it might be usable in the medical device industry.
Patient Protections
McGee: Is there anything that patients who use mobile or web-enabled medical devices can do to protect themselves against cybersecurity threats?
Patel: It's very important to remember that the benefits of using their medical device outweigh the current risks posed by cybersecurity vulnerabilities. The FDA has not seen a trend in adverse event reports that would indicate widespread, active problems but is aware that cybersecurity vulnerabilities exist.
Patients should take similar precautions to protect their mobile or web-enabled medical devices as they would for other consumer products. This includes making sure that your computerized equipment is virus-free and that you have adequate and updated anti-virus software.
FDA Action
McGee: What programs/plans are there at FDA to help address these issues?
Patel: To help manufacturers of medical devices protect the safety and effectiveness of their products as technology evolves, the FDA is constantly looking at ways to help address potential vulnerabilities and other cybersecurity risks during our review of new devices as well as in our surveillance of devices already on the market and in use. We are:
- Conducting an evaluation of how we review medical device software, including review of cybersecurity vulnerabilities and risks in medical devices;
- Working with standard development organizations in developing international standards related to the integration of medical devices and information technology systems, focusing on the shared risk of both the manufacturers and the users of the device; and
- Strengthening our ability to detect medical device performance and safety issues as they occur using our post-market surveillance programs.
McGee: How might the new Food and Drug Administration Safety Innovation Act Workgroup that's advising the HIT Policy Committee address medical device security issues that could pose safety risks to patients?
Patel: The FDASIA workgroup is identifying the overall issues that a potential a regulatory framework for health IT could include, including cybersecurity.
For more from HealthcareInfoSecurity on medical device security, also see:
