Last week FDA pulled together experts in cybersecurity, global regulation, software and product design to openly discuss how the medical device industry can work with partners to develop best practices in assessing cybersecurity threats and ensuring that critical information is protected. The public workshop was the second agency meeting on the topic (the first occurred in 2014). Held in collaboration with HHS, the National Health Information Sharing Analysis Center, and the Department of Homeland Security, the event brought to light that the issue is not just of concern among device companies, but also government-wide.
Although progress has been made, it’s clear that industry has a long way to go in strengthening medical device cybersecurity. In his opening remarks, Acting FDA Commissioner Stephen Ostroff even admitted, “I’m probably the last person at FDA who should be giving remarks at a meeting regarding wireless and network technologies and the cybersecurity concerns that come along with these technologies.” Ostroff reflected on the wakeup call he had within the past year when he lost his personal cell phone, calling it a “great lesson” in cybersecurity.
“Medical device cybersecurity is a total lifecycle issue.” – Suzanne Schwartz, MD, CDRH
With medical networks and wireless and interoperable devices still quite vulnerable to security breaches and malicious intrusions, last week’s meeting stressed the importance of preparation and not learning this fact the hard way. “We know that it takes work and that it’s hard to build cybersecurity into medical devices and systems that are not self-contained at the time that they are actually developed,” said Ostroff. He added that the issue becomes far more complicated once a device hits the market, especially due to the fact that risks and vulnerability increase as time goes on.
Experts will discuss cybersecurity at next week’s mHealth for Medical Device Manufacturers conference | REGISTER to attend February 3-4 in-person or virtually“Success in this area requires the engagement of both the public and private sector, medical device manufacturers, healthcare facilities and personnel, professional and trade organizations, patient groups, insurance providers, cybersecurity researchers, and yes, even hackers, and officials from all levels of government,” said Ostroff. “To be effective, we have to take advantage of and leverage the knowledge and expertise of the entire cyber research community and many others.”
During the workshop, experts discussed the following key points related to cybersecurity:
- Cybersecurity is not just a technology problem. Companies must invest in people who have the expertise
- In addressing post-market cybersecurity, vulnerabilities need to be assessed as controlled or uncontrolled. Risk management is an important part of this process
- Tying the development and engineering world with the security world is the first step in building a foundation
- The recently released FDA guidance on cybersecurity reiterates the point that medtech manufacturers must comply with QSRs
- There’s a need to involve all stakeholders in the healthcare ecosystem and engage in upfront communication with the user about the shared responsibility
- Even the most sophisticated companies don’t necessarily have the resources to build their own hospitals (a.k.a. testing devices at the hospital scale)