Will the FDA’s new guidance boost medical device cybersecurity?

Healthcare providers and medical device manufacturers are beginning to implement new technologies such as the cloud, mobility, Big Data, and the Internet of Things (IoT) into care models, leading medical devices to become increasingly connected – to the internet, hospital networks, and each other.

The use of connected medical devices such as insulin pumps and implanted pacemakers brings the risk of hacking directly to patients. To secure not only the device itself but also its stored data, attention is turning to increased cybersecurity efforts. As part of this shift, the FDA is updating its guidance for medical device manufacturers in order to address the evolving technological landscape and increased insight into cyber threats.

On 17 October, the FDA issued a draft guidance document, ‘Content for Premarket Submissions for Management of Cybersecurity in Medical Devices’, which improves upon its original 2014 guidance document with revised recommendations.

Among the new recommendations is the cybersecurity bill of materials, a list of the software and hardware components of a medical device that may be vulnerable to cyber threats. This bill of materials would make healthcare facilities and end users aware of security issues and allow them to appropriately prepare for those vulnerabilities. The FDA has opened a comment period on the new draft guidance document through 18 March 2019, after which the new recommendations will be finalised.

In another bid to improve medical device cybersecurity efforts, the FDA announced on 16 October a new agreement with the US Department of Homeland Security (DHS). This agreement, between the FDA’s Center for Devices and Radiological Health and the DHS’ Office of Cybersecurity and Communications, aims to improve coordination and cooperation between the two agencies on medical device cybersecurity through the sharing of information on potential or confirmed vulnerabilities and threats. This coordination is expected to improve the timeliness and quality of response to threats to patient safety.

Although the FDA has provided pre-market and post-market guides to offer recommendations and assist in improved cybersecurity practices, cybersecurity responsibilities are largely left to medical device manufacturers. Improved awareness of the risks and more stringent regulations are needed to encourage manufacturers to incorporate cybersecurity as a core component of device development rather than as an ‘add-on’ after market approval, which will strengthen medical devices against cyberattacks.