Featured Video
This Week in Quality Digest Live
FDA Compliance Features
Grant Ramaley
The program attempts to ensure absolute confidence in medical-device certification, but at too great a cost
Mike Richman
Overcoming stress at work, the benefits of AS9100, and meaningless food labels
Brandon McFadden
Consumers will become ever-more mystified about what’s on a label
The QA Pharm
The most important lessons I’ve learned in pharmaceutical quality assurance during the last 40 years
Dirk Dusharme @ Quality Digest
Cost-cutting at Ford, compassionate-use drugs, and innovation stagnation

More Features

FDA Compliance News
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
The FDA’s RMAT designation goes live
Awards help states implement multiyear produce-safety systems
The future of medical product development?
Manage risk while meeting regulatory requirements and compliance
FDA believes you can use openFDA to create products that promote public health
Company headquarters and 30 jobs in Dayton, operations in Europe, stay in place

More News

Suzanne Schwartz

FDA Compliance

Creating a Safety Net for Medical Devices

A life-cycle approach for monitoring cybersecurity vulnerabilities

Published: Tuesday, November 22, 2016 - 00:00

During National Cybersecurity Awareness Month, which took place in October, the public and industry were encouraged to understand the importance of cybersecurity and to be vigilant when it comes to the technology we rely on every day, including helping patients remain confident in the safety of their medical devices.

Many medical devices are “life critical systems,” meaning they play a crucial role in monitoring and protecting human life. As more of these systems use technology to interconnect, we must be dedicated to securing them from hackers and cyber attacks.

Here at the U.S. Food and Drug Administration (FDA), we work with hospitals, healthcare professionals, and patients to provide medical device manufacturers with guidance for monitoring, identifying, and addressing cybersecurity vulnerabilities in their devices before and after they have entered the market. To further counter threats, the FDA has been making a deliberate effort to work with outside groups—including those we have previously not engaged with—such as security researchers.

This outreach has allowed our guidance to evolve. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also be proactive and on guard for potential vulnerabilities and emerging threats throughout the life cycle of devices, and be prepared to devise solutions. These are points made in FDA’s draft guidance on post-market medical device cybersecurity, issued in January 2016.

A life-cycle approach requires creating, evolving, and maintaining a comprehensive cybersecurity risk management program starting from early product development and extending throughout the product’s lifespan. A key component of such a program is what should be done after a product’s potential risks and vulnerabilities have been identified. A life-cycle approach should include manufacturers collaborating with entities that discover threats or vulnerabilities to a medical device’s cybersecurity in order to understand and assess the identified risks. It should also include manufacturers developing appropriate solutions prior to the vulnerabilities being publicly disclosed, which is an added protection for patients.

But, our work alone won’t achieve safety if all stakeholders do not recognize and remain vigilant against potential threats. Medical device manufacturers, government agencies, healthcare delivery organizations, healthcare professionals, and patients all share this responsibility.

In recognition of this shared responsibility, the FDA has entered into a partnership with the National Health Information Sharing and Analysis Center (NH-ISAC), and the Medical Device Innovation, Safety, and Security Consortium (MDISS) to foster rapid sharing of medical device vulnerabilities, threats, and mitigations within the hospital and healthcare ecosystem. Doing so will help to proactively address cybersecurity threats and vulnerabilities that may affect patient safety.

Digital connections provide great power to innovate, and security must keep pace with that innovation. Safeguarding our sector’s—Healthcare and Public Health (HPH)—critical infrastructure therefore includes first identifying, and then addressing previously unforeseen medical-device cybersecurity vulnerabilities. We encourage everyone to be aware, vigilant, and committed to upholding and strengthening cybersecurity. Through a joint approach encompassing the public and several government agencies, we are beginning to see the necessary change in culture within the medical device ecosystem, accompanied by progress in managing medical device cybersecurity.

The FDA’s January 2016 workshop, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity,” highlighted some of the progress that has been made. Moreover, recent examples of coordinated vulnerability disclosure between medical device manufacturers and security researchers demonstrate the promise of partnership in addressing medical device cybersecurity. But there is still work to be done, and we must remain committed to working collaboratively to address our goal of protecting the public health.


About The Author

Suzanne Schwartz’s picture

Suzanne Schwartz

Suzanne Schwartz is the Director of Emergency Preparedness/Operations and Medical Countermeasures, Office of the Center Director, Center for Devices and Radiological Health, Food and Drug Administration. She spearheads the InterCenter Wound Healing Working Group and represents the FDA in several inter-agency working groups and integrated program teams for the Public Health Emergency Medical Countermeasures Enterprise for chemical, biological, radiological, and nuclear threats.