Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Michael King
Augmenting and empowering life-science professionals
Meg Sinclair
100% real, 100% anonymized, 100% scary
Alonso Diaz
Consulting the FDA’s Case for Quality program
Four data layers that matter
Kari Miller
Regulations and increased complexity are pushing the industry to adopt innovation more quickly

More Features

FDA Compliance News
Recognized among early adopters as a leading innovation for the life sciences industry
Streamlines annual regulatory review for life sciences
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations

More News

Suzanne Schwartz

FDA Compliance

Creating a Safety Net for Medical Devices

A life-cycle approach for monitoring cybersecurity vulnerabilities

Published: Tuesday, November 22, 2016 - 00:00

During National Cybersecurity Awareness Month, which took place in October, the public and industry were encouraged to understand the importance of cybersecurity and to be vigilant when it comes to the technology we rely on every day, including helping patients remain confident in the safety of their medical devices.

Many medical devices are “life critical systems,” meaning they play a crucial role in monitoring and protecting human life. As more of these systems use technology to interconnect, we must be dedicated to securing them from hackers and cyber attacks.

Here at the U.S. Food and Drug Administration (FDA), we work with hospitals, healthcare professionals, and patients to provide medical device manufacturers with guidance for monitoring, identifying, and addressing cybersecurity vulnerabilities in their devices before and after they have entered the market. To further counter threats, the FDA has been making a deliberate effort to work with outside groups—including those we have previously not engaged with—such as security researchers.

This outreach has allowed our guidance to evolve. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also be proactive and on guard for potential vulnerabilities and emerging threats throughout the life cycle of devices, and be prepared to devise solutions. These are points made in FDA’s draft guidance on post-market medical device cybersecurity, issued in January 2016.

A life-cycle approach requires creating, evolving, and maintaining a comprehensive cybersecurity risk management program starting from early product development and extending throughout the product’s lifespan. A key component of such a program is what should be done after a product’s potential risks and vulnerabilities have been identified. A life-cycle approach should include manufacturers collaborating with entities that discover threats or vulnerabilities to a medical device’s cybersecurity in order to understand and assess the identified risks. It should also include manufacturers developing appropriate solutions prior to the vulnerabilities being publicly disclosed, which is an added protection for patients.

But, our work alone won’t achieve safety if all stakeholders do not recognize and remain vigilant against potential threats. Medical device manufacturers, government agencies, healthcare delivery organizations, healthcare professionals, and patients all share this responsibility.

In recognition of this shared responsibility, the FDA has entered into a partnership with the National Health Information Sharing and Analysis Center (NH-ISAC), and the Medical Device Innovation, Safety, and Security Consortium (MDISS) to foster rapid sharing of medical device vulnerabilities, threats, and mitigations within the hospital and healthcare ecosystem. Doing so will help to proactively address cybersecurity threats and vulnerabilities that may affect patient safety.

Digital connections provide great power to innovate, and security must keep pace with that innovation. Safeguarding our sector’s—Healthcare and Public Health (HPH)—critical infrastructure therefore includes first identifying, and then addressing previously unforeseen medical-device cybersecurity vulnerabilities. We encourage everyone to be aware, vigilant, and committed to upholding and strengthening cybersecurity. Through a joint approach encompassing the public and several government agencies, we are beginning to see the necessary change in culture within the medical device ecosystem, accompanied by progress in managing medical device cybersecurity.

The FDA’s January 2016 workshop, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity,” highlighted some of the progress that has been made. Moreover, recent examples of coordinated vulnerability disclosure between medical device manufacturers and security researchers demonstrate the promise of partnership in addressing medical device cybersecurity. But there is still work to be done, and we must remain committed to working collaboratively to address our goal of protecting the public health.


About The Author

Suzanne Schwartz’s picture

Suzanne Schwartz

Suzanne Schwartz is the Director of Emergency Preparedness/Operations and Medical Countermeasures, Office of the Center Director, Center for Devices and Radiological Health, Food and Drug Administration. She spearheads the InterCenter Wound Healing Working Group and represents the FDA in several inter-agency working groups and integrated program teams for the Public Health Emergency Medical Countermeasures Enterprise for chemical, biological, radiological, and nuclear threats.