There have been numerous reports of medical devices being hacked, threatening the security of hospital computer networks. With these concerns in mind, the FDA has just released new guidelines to reduce the likelihood of that happening to other healthcare systems.
Entitled Postmarket Management of Cybersecurity in Medical Devices, the draft guidelines recognize the seriousness of the threat, pointing out that: “A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits.”
The new guidelines emphasize the FDA’s position that medical device security is a shared responsibility between the manufacturer and the medical facility using the equipment. To help companies fulfill their share of the responsibility, FDA recommends adoption of the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology.
The FDA is also encouraging manufacturers to develop comprehensive cybersecurity risk management programs rather than to take a reactive stance that only addresses device weaknesses after they have done damage to a healthcare system’s computer network.
This more proactive approach would encompass several key components:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
- Understanding, assessing and detecting presence and impact of a vulnerability
- Establishing and communicating processes for vulnerability intake and handling
- Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk
- Adopting a coordinated vulnerability disclosure policy and practice
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
Recent events have made it clear that there’s a need for stronger medical device security protocols. In July 2015, for instance, the Department of Homeland Security and FDA warned providers to avoid using a Hospira Symbiq infusion pump because of a vulnerability that allowed hackers to gain remote control of the device. Similarly, in 2010, a VA catheterization lab in New Jersey had to temporarily close because its computerized devices had been infected with malware.