Addressing Vulnerabilities in Medical DevicesAttorney Yarmela Pavlovic on Steps Device Makers Need to Take
Medical device makers need to ensure they have procedures in place to take quicker action once they're alerted of cybersecurity issues in their products, says attorney Yarmela Pavlovic, who specializes in healthcare regulatory issues.
"My advice to companies is not only to be thinking about what steps to be taking to prevent cybersecurity vulnerabilities from happening, but also what steps they should be taking should any vulnerability be revealed," she says in an interview with Information Security Media Group.
Medical device security vulnerabilities discovered by independent researchers and demonstrated by ethical hackers thus far have apparently not resulted in patient harm, she notes.
Nevertheless, she says, "there's an important aspect to this, which is protection - and that comes in the form of proactive design and development [of medical devices by manufacturers], but also being prepared to react on the back-end when those vulnerabilities are revealed."
Device manufacturers, she says, must have "the right stakeholders at the table within the company ready to respond in an efficient, effective and timely manner."
Healthcare Entity Risks
Pavlovic also suggests that healthcare organizations that identify security issues in legacy medical devices should work closely with the manufacturer to address the issue. "Most medical device companies are very much interested in partnership with customers to make sure patients are protected, information is protected and vulnerabilities don't present a patient safety or financial risk for the folks who are using them," says Pavlovic, who advises device makers on FDA compliance issues.
In the interview (see audio link below photo), Pavlovic also discusses:
- FDA's recently released final guidance for how medical device manufacturers should help maintain the cybersecurity of network-connected devices once they are in use;
- Whether the FDA will ever review cybersecurity features of medical devices as mandatory requirements when assessing those products for market approval;
- The impact of the recent passage of the 21st Century Cures Act on the FDA's regulatory authority over medical devices and internet of things devices;
- Predictions about FDA activities on medical devices and cybersecurity issues for 2017.
Pavlovic, a partner at Hogan Lovells LLP in the firm's San Francisco office, assists medical device manufacturers in getting FDA marketing approval for their products. Previously, Pavlovic was an attorney at law firm Pepper Hamilton LLP.