FDA Brief: Addressing Cybersecurity Vulnerabilities to Patients

^{Photo/Thumb have been modified. Courtesy of Shutterstock / Ievgenii Meyer.}

Healthcare continues to be a target for cyberattackers and new medical devices and technologies open up new vectors that could put a health system at risk.

If a health system suffers a medical device malfunction or hack, it is important for it to raise awareness about the situation without causing unwanted consequences, Amy Abernethy, M.D., Ph.D., principal deputy commissioner and acting chief information officer of the U.S. Food and Drug Administration (FDA), wrote last week.

When implementing medical devices and technologies into a health system, it may be helpful to know the potential cybersecurity risks, Abernethy suggested.

In technologies like heart pacemakers, computer code is included to set the rhythm of the heart. Concerns can arise because the software being used could become infected with malware that changes the performance of the device. Such devices can also be hacked and leak personal health information.

Addressing Patients Affected by Medical Device Cybersecurity

The FDA works with cybersecurity experts, manufacturers and other federal government agencies to make sure medical devices are developed with cyber safety and risk management in mind, wrote Abernethy and Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation at the FDA’s Center for Devices and Radiological Health.

Recently, the agency has been working with patients and advocacy groups who are becoming more aware of medical device cybersecurity.

In a meeting focused on medical device cybersecurity and using communication to empower patients, healthcare representatives, providers, security researchers, other stakeholders and patients came together and told the FDA that medical device cybersecurity “is a matter of national security, as well as one of patient safety.”

After a cybersecurity breach, health systems have to decide how and when to address the patients who could have been affected. Health systems could have limited information after the cyber vulnerability is identified and sharing information about cybersecurity weaknesses could lead another cybercrime, Abernethy and Schwartz wrote.

Despite this, patients voiced that even if a health system can’t immediately fix a cybersecurity breach or vulnerability, they still want to be told about it.

“Patients said the information would allow them to serve as a ‘boots-on-the-ground’ intelligence system that could alert the FDA to potential instances of harm to patients,” they wrote.

Although patients want to be notified of such an event, they do not want to have to go and search for additional information. Rather, patients urged the FDA to encourage health systems to be more transparent about these events and who might have been affected by using a particular medical device. Patients should not be burdened to seek additional details.

How FDA Is Focused on Ensuring Medical Device Safety

The federal regulator has issued a number of draft guidances to address the safety and efficiency of medical devices.

In September, the agency released a guidance about a safer technologies program for medical devices. And there is a guidance from 2014, which the FDA revised last year, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The guidance recommends that manufacturers include a list of materials such as commercial, open-source and off-the-shelf software and hardware components that are or could be susceptible to vulnerabilities.

“The (Center for Devices and Radiological Health) cybersecurity vision is one where the medical device community takes bold action to transform medical devices from brittle to resilient,” they wrote. “Every device would meet a security baseline; every device would be easily updatable; and patients would receive timely updates.”

Get the best insights in digital health directly to your inbox.

Related

FDA Identifies Robotic Surgery Software Recall as Class I

URMC Pays $3M to OCR for Mobile Device HIPAA Violation

FDA Grants Breakthrough Status for Blood Oxygen Monitoring Wearable