FDA won’t do that: Cybersecurity edition

Share

cybersecurity

[Photo courtesy of Lewis Ngugi via Unsplash]

The medical device industry should not treat cybersecurity as though it were a check box—and they may want to brush up on FDA’s role, says Seth Carmody, PhD, cybersecurity program manager at FDA.

Speaking this week during an  HIMMS 2017 education session, Carmody warned that the clinical environment “represents a large attack surface for national security today,” as reported by Healthcare Informatics.  He also said that if medtech continues to focus only on intended use, they are creating an underbelly of security vulnerability that will need collaborative measures between manufacturers, providers, and regulators.

Carmody gave industry and healthcare providers some straight talk, a fact-vs-myth discussion, clarifying FDA’s role in medtech cybersecurity. Some key points:

  1. FDA is not solely responsible for medtech security.
  2. FDA does not need to approve (or clear) issue updates or cybersecurity fixes.
  3. FDA will not test devices for cybersecurity vulnerabilities.
  4. Healthcare organizations can (and should) issue patches or updates for cybersecurity reasons.

Many of these statements have been made by FDA before. FDA clarified these ideas with the release of Postmarket Management of Cybersecurity in Medical Devices in December 2016.

Suzanne B. Schwartz, FDA’s Associate Director for Science and Strategic Partnerships, at CDRH has offered additional advice via her blog on the topic, as follows:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices.
  • Understand, assess and detect the level of risk a vulnerability poses to patient safety.
  • Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”).
  • Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm.

Schwartz also noted that this is not the end of FDA’s efforts, merely a beginning step in addressing cybersecurity. “We will continue to work with all medical device cybersecurity stakeholders to monitor, identify and address threats, and intend to adjust our guidance or issue new guidance, as needed.”

[Want to stay more on top of MDO content? Subscribe to our weekly e-newsletter.]

DeviceTalks West: Expertise you need to know

textadimage Medical device suppliers are light years away from the days when they merely filled orders to spec for medtech OEMs – as a visit to the upcoming DeviceTalks West will quickly confirm.

From incorporating steerability into catheters to getting validation and testing done right, the companies serving the medical device industry have become specialized experts in their own right.

Read on to discover five example of medical device expertise to be had at DeviceTalks West, which runs Dec. 11–12 in Orange County, Calif.

Speak Your Mind

*