Medical Device Guide: Why It's CriticalAttorney Explains Why Makers Should Adopt New FDA Guidelines
Even though compliance with new Food and Drug Administration guidance recommending that medical device makers bake cybersecurity into the design of their products is voluntary, manufacturers need to take the guidelines seriously, says privacy attorney Ellen Giblin.
That's because similar guidance about building privacy and security protections into consumer products issued by the Federal Trade Commission, as well as other government guidelines, have become industry best practices and de facto standards, Giblin says.
"Some of those [other] publications were seen as guidance at the beginning but became adopted as a standard," she says in an interview with Information Security Media Group. "So why not jump on board and follow the guidance?"
The FDA guidance, issued in October, recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. The guidance also recommends that manufacturers submit to the FDA their plans for providing patches and updates to operating systems and medical software (see FDA Issues Medical Device Security Guide).
While the voluntary FDA guidance does not have the force of law, as the recommendations become more widely embraced by the healthcare sector, they will be considered best practices, raising liability issues for manufacturers who neglect to follow the guidance and then experience a device breach, she says.
"If they were to do nothing and totally disregard this guidance that would not be wise choice moving forward," she says.
Experts speaking at a recent FDA medical device cybersecurity workshop voiced concern that it's only a matter of time before a patient is killed or injured due to a targeted cyber-attack against a networked medical device - or even as the result of an unintentional cyber vulnerability (see Medical Devices Hacks: The Dangers).
In light of emerging cyberthreats, Giblin also advises that healthcare providers discuss cybersecurity risks of medical devices with their patients. "They should disclose to patients that [cybersecurity] is a concern, it is a risk," she says.
Plus, Giblin suggests that healthcare providers refer to the FDA guidance when assessing the cybersecurity features of medical devices they're considering buying. "The guidance is very clear - if you were going to review a new product or service, here's a way to do it."
In the interview, Giblin also discusses:
- What's most significant about the new FDA guidance;
- Advice to healthcare providers regarding medical device cybersecurity;
- Why manufacturers need to closely protect medical device intellectual property.
Giblin is counsel in the Boston office of law firm Edwards Wildman Palmer, focusing her practice on global privacy and data protection and data breach response. She is internationally recognized in the areas of cybersecurity, privacy, data security, breach response, investigation, and information governance. Before joining Edwards Wildman Palmer, Giblin was privacy counsel for the Ashcroft Law Firm. Earlier, she was a senior risk manager at RBS Americas and a privacy officer for Citizens Financial Group.