In January, the US FDA issued draft guidance that outlines how medical device companies should address cybersecurity risks.
In today’s increasingly digital age, cybersecurity is a growing concern. Any system that stores a user’s data in cyberspace is vulnerable to cyberattacks, from nuclear power stations to online dating websites. And when it comes to the healthcare sector, the same holds true.
In January, the US Food and Drug Administration (FDA) issued draft guidance that outlines how medical device companies should address cybersecurity risks. The report provides recommendations for “managing postmarket cybersecurity vulnerabilities for marketed medical devices,” and is aimed at encouraging manufacturers to address cybersecurity issues throughout the lifecycles of their products — from design, development, production, deployment and maintenance.
The FDA notes that “proactively addressing cybersecurity risks in medical device reduces the patient safety impact and the overall risk to public health.” As such, manufacturers have a duty to monitor, identify and address any vulnerabilities in the postmarket management of their products.
Furthermore, the FDA suggests monitoring cybersecurity information sources for: identification and detection of vulnerabilities and risks; understanding, assessing and detecting presence and impact vulnerability; identifying clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk and among others; and deploying mitigations that address cybersecurity risk early and prior to exploitation.
Overall, the FDA recommends “routine updated and patches” to devices to increase security or remediate vulnerabilities associated with controlled risk. That includes regular updates to firmware, software, programmable logic, hardware and security of devices, which will in turn increase device security.
Independent research looks into cybersecurity and medical devices
Speaking to Information Security Media Group, independent researcher Billy Rios said he has been working with other organizations to get a better understanding of how to evaluate cybersecurity issues with medical devices. Specifically, Rios is looking to identify if there are indeed patient safety concerns associated with these devices.
Rios endeavors to present a “formal methodology” for assessing cybersecurity vulnerabilities within medical devices. That, he believes, will facilitate approaching companies and having them verify and address the issues.
“We have to systematically and objectively determine which security vulnerabilities present risks to patient harm and which present harm only to the IT infrastructure. Both are very important, but as a patient safety issue, we certainly have to treat them differently,” Rios said.
Rios highlighted that even though a hospital has purchased a medical device, “the work’s not done” and that even simple, solvable issues, like downloading a software patch, are often overlooked. Of the medical devices he has looked into, many have thousands of known vulnerabilities.
Adventium awarded cybersecurity contract
In an effort to thwart cyberattacks on medical devices, the Department of Homeland Security Science and Technology Directorate (DHA S&T) has awarded Minneapolis-based Adventium Enterprises a $2.2-million contract to develop technology geared at ensuring medical devices are protected against cybersecurity breaches. The project, ISOSCELES (Intrinsically Secure, Open, and Safe Control of Essential LayErS) is part of the DHS S&T’s broader Cyber Security Division’s Cyber Physical Systems Security Program (CPSSEC).
As DHS Under Secretary for Science and Technology Dr. Reginald Brothers highlighted, “[m]any medical devices are networked into hospital or other healthcare systems” leaving with security vulnerabilities. The CPSSEC is working towards improving security on medical devices in order to manage the threat.
Securities Disclosure: I, Vivien Diniz, hold no investment interest in any of the companies mentioned.