Cybersecurity is still a relatively recent problem for medical device manufacturers. From new hazard sources (i.e., hackers) to building security into product requirements, device manufacturers have to manage a complicated set of risks and vulnerabilities. In a game of “myth versus fact” during MedTech Intelligence’s cybersecurity conference last month, FDA’s Seth Carmody and Suzanne Schwartz, M.D. cleared up some of the misconceptions people may have about the role of FDA and its perspective on cybersecurity.
Myth: The FDA is the federal entity solely responsible for the cybersecurity of medical devices.
In reality, the agency works with many federal government entities such as the U.S. Department of Homeland Security, as well as device manufacturers, the private sector, healthcare delivery groups, security researchers and experts, and end users—all in an effort to improve cybersecurity.
Myth: Cybersecurity for medical devices is optional.
Device manufacturers are required to comply with federal regulations, which include the quality system regulation, part of which mandates that companies address risks (including cybersecurity risk).
“The pre-and post-market cybersecurity guidances articulate that a comprehensive, structured and systematic cybersecurity risk management program is necessary under the Quality System Regulation.” – FDA
In addition, there are many economic forces in play. “Your procurers will be asking for security,” said Seth Carmody, senior program manager for medical device cybersecurity at CDRH. “[On the liability side], if there’s a breach, there are certain ramifications. There are many factors [that] tie to if you’re doing due diligence.”
Myth: The FDA tests for cybersecurity of medical devices.
Fact: The agency doesn’t conduct premarket testing for any medical devices.
Myth: Medical device manufacturers can’t update medical devices for cybersecurity without going to FDA for re-certification.
Of course manufacturers can update a device for cybersecurity. In addition, the agency doesn’t usually need to review changes made to a device, nor does it require premarket review or a product recall, if the software changes are solely to enhance cybersecurity. “These are changes that we consider to be akin to device enhancements,” said Suzanne Schwartz, M.D., associate director for science and strategic partnerships at CDRH, adding that there are exceptions.
Myth: Healthcare delivery organizations (HDOs) can’t update and patch medical devices for cybersecurity.
Actually, HDOs are responsible for implementing devices on their networks and may need to patch or change devices or the supporting infrastructure to lower security risks. However, these changes must be validated, and the FDA recommends that HDOs organizations work with device manufacturers to convey the necessary changes.