DA releases guidance on post market management of cybersecurity in medical devices
Recently I blogged on how there needed to be more security with patient’s medical information and how hackers are taking individuals information and using it to their benefit. There is another threat that hackers could and will take advantage of – hacking into medical devices. Last month the U.S. Food and Drug Administration (FDA) issued proposed guidelines for post-market management of cybersecurity in medical devices. The guidelines provide best practices for assessing and managing cybersecurity vulnerabilities in medical devices and include situations involving both hacker access to patient records and hacker access to the devices themselves.
The Draft Guidance also comes shortly after the 2016 Work Plan release by the U.S. Department of Health and Human Services Office of Inspector General (OIG), which indicates that the OIG will examine whether FDA’s oversight of hospitals’ networked medical devices is sufficient to effectively protect associated electronic protected health information and ensure Medicare beneficiary safety. According to the OIG, its review will focus on dialysis machines, radiology systems, medication dispensing systems and other computerized medical devices that are integrated with electronic medical records and the larger health network
The FDA issued its first guidance regarding cybersecurity and medical devices in 2013, focusing on medical devices and hospital networks. It stated that it had “become aware” of “cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations.” These included medical devices and computers infected by malicious software, inadequate password protection, and a failure to update software. At that time, the FDA emphasized that it was being proactive and it knew of no breaches that compromised safety. It recommended that medical device companies take steps to limit unauthorized device access, develop strategies for protection and design fail-safe modes for critical functions, as well as provide methods for recovery of data in cases where security had been compromised. Similarly, in 2014, it issued guidance related to security standards in premarket submissions.
This past year, the FDA issued its first warning about a device that was vulnerable to attack. In May 2015, the FDA and the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team were made aware of cybersecurity vulnerabilities associated with Hospira’s Symbiq Infusion System, a pump used to administer fluids such as insulin, pain relievers and chemotherapy drugs. Hospira and an independent researcher confirmed in July 2015 that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or underinfusion of critical patient therapies.
In mid-January of this year, the FDA issued first-ever draft guidance on post-market management of cybersecurity in medical devices. It outlined the steps medical device manufacturers must take to address cybersecurity risks, even after a device is approved. The draft guidance details the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market. These include:
- Applying the 2014 National Institute of Standards and Technology voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of identify, protect, detect, respond and recover.
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk.
- Understanding, assessing and detecting the presence and impact of a vulnerability.
- Establishing and communicating processes for vulnerability intake and handling.
- Clearly defining essential clinical performance to develop mitigations that protect against, respond to and recover from the cybersecurity risk.
- Adopting a coordinated vulnerability disclosure policy and practice.
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
These guidelines demonstrate the FDA’s renewed focus in this area; however, both the 2014 and proposed 2016 guidelines are in practice voluntary and nonbinding. Medical device vulnerabilities have been identified by several commentators as one of, if not the largest, cybersecurity threat of 2016, and one can see why—an enterprising hacker could easily hold one’s life for ransom by compromising an insulin delivery system or pacemaker. Indeed, there is little that a consumer can do to protect himself or herself from these vulnerabilities—they must be managed by the device manufacturer.
One notable omission in the guidelines, however, is any penalty for not ensuring the security of devices. Manufacturers are under no obligation to follow best practices or to change their manufacturing processes at this time. I expect competition in the marketplace will handle some reluctance to adopt the guidelines. Penalties may handle the remainder of the reservations.
Read more: http://www.thelegalintelligencer.com/id=1202748622425/Regulators-Eye-Medical-Device-Consumer-Cybersecurity-for-2016#ixzz40ui6rpeK & http://www.qualitydigest.com/inside/fda-compliance-column/022216-fda-proposes-cybersecurity-guidelines-medical-devices.html# & http://www.natlawreview.com/article/fda-releases-draft-guidance-postmarket-management-cybersecurity-medical-devices#sthash.je03a5hc.dpuf
Check Us Out on Facebook!