FDA Ramps Up Its Medical Device Cybersecurity Efforts

^{The FDA is working to improve medical device security.}

The U.S. Food and Drug Administration made two moves to address the cybersecurity of medical devices this week. On Tuesday, the agency announced increased coordination with the Department of Homeland Security on the matter, and today it released new guidelines for premarket submissions of medical devices.

>> READ: These Data Security Challenges Are Plaguing Healthcare

“As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients,” FDA Commissioner Scott Gottlieb, M.D., said in a statement released by the agency.

The news comes just two weeks after the FDA launched a new “playbook” that outlined a framework for cybersecurity readiness and a plan for the various stakeholders in the medical device industry to ensure the security of their devices, report vulnerabilities and respond to breaches.

These efforts are designed to address the fact that as more devices are interconnected, millions of these devices can serve as access points to networked hospital systems and, if unprotected, leave those networks exposed.

The FDA’s partnership with homeland security formalizes their long-standing relationship. Making it official will allow for greater collaboration between the two agencies, which will help in identifying vulnerabilities and threats and responding proactively when a data breach occurs.

An arm of the Department of Homeland Security will continue to act as the center for information sharing between medical device manufacturers, researchers and the FDA. Regulators at the FDA will continue to advise homeland security of potential threats, according to the release.

The FDA also released new draft guidelines for medical device makers who are preparing to submit new devices for review. This is an update to previous guidelines, last released in 2014, on "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”

“Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally,” the introduction to the guidelines note.

The guideline updates were required to keep pace with the changes within the world of medical cybersecurity, according to the FDA.

“The rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations, necessitates an updated approach.”

The comment period on these recommendations will be open for 150 days, and the finalized versions will replace the 2014 version.

Get the best insights in healthcare analytics directly to your inbox.

Related

Securing the Forgotten Servers: Why Printers Are The Biggest Security Risk Today

Yes, Healthcare’s Data Breach Problem Really Is That Bad

What to Do Before and After a Data Breach