Debunking Medical Device Cyber MythsFDA Official Explains Agency's Expectations for Cybersecurity
The Food and Drug Administration's Suzanne Schwartz, M.D., is on a mission to debunk the myth that medical device manufacturers need FDA approval for software updates or patches to address potential vulnerabilities.
In an interview with Information Security Media Group, she stresses: "Unless there is a very, very specific concern toward the impact of that patch or update affecting the functionality of the device, which would be rare, we are not expecting manufacturers to submit to the FDA any additional [requests for approval] to provide those patches and updates."
Manufacturers need to clearly understand that they are responsible for addressing the cybersecurity of medical devices already in use at healthcare facilities, as well as new products being submitted to the FDA for premarket approval, says Schwartz, who is director of emergency preparedness operations and medical countermeasures at the FDA's Center for Devices and Radiological Health.
"We want to make sure the private sector feels empowered and enabled in terms of being able to address cybersecurity challenges faced," she adds.
Because networked and Internet-enabled medical devices are vulnerable to cybersecurity threats that could pose potential patient safety concerns, as well as information security risks, the FDA has been ramping up its efforts to push medical device makers and users into more aggressively assessing and mitigating those risks. That includes issuing new cybersecurity guidance for manufacturers (see Ramping Up Medical Device Cybersecurity).
Although the new guidance offers recommendations, and not mandates, that manufacturers consider cybersecurity risks as part of the design and development of medical devices, the FDA will "potentially" reject products submitted for the agency's approval that lack those criteria, she says.
"In the review of a new product that comes into the FDA, the expectation is that a manufacturer will meet the specific recommendations that are stated within the guidance and perform the comprehensive cybersecurity assessment that is intended for that device," she says.
She points out that the FDA's recommendations "state that an alternative approach can be used to satisfy statutes and regulations. There's an opportunity for a vendor to come in with an alternate approach, but there has to be the appropriate evidence in being able to support that."
Besides the cybersecurity of new products, manufacturers also need to consider how to address the security of older devices still in widespread use that are running outdated operating systems or other software, she says.
"Legacy [medical] devices are a very complex issue in that many of them in use at healthcare facilities may no longer be supported by the manufacturer," she says. "This is an enormous challenge."
The FDA is looking to collaborate with with industry stakeholders to develop strategies to mitigate the cybersecurity risks these legacy devices pose, she says.
In the interview, Schwartz also discusses:
- What healthcare providers can do to improve the cybersecurity of medical devices used in their organizations;
- The FDA's collaboration with the Department of Homeland Security and other units within the Department of Health and Human Services on medical device cybersecurity issues;
- The goals for an FDA workshop on medical device cybersecurity to be held Oct. 21 and 22.
As director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health, Schwartz, represents the FDA across several inter-agency initiatives and integrated program teams on chemical, biological, radiological and nuclear threats, natural disasters and emerging infectious diseases. She also serves as co-chair of the Government Coordinating Council for the Healthcare and Public Health Sector. Her efforts in this role are mainly focused on strategic engagement of sector stakeholders to strengthen cybersecurity for critical infrastructure. Before joining the FDA, Schwartz served on the general surgical faculty at the Weill Cornell Medical Center in New York..