By: Suzanne B. Schwartz, M.D., M.B.A.
October is National Cybersecurity Awareness Month. Proclaimed by President Obama each year, Cybersecurity Awareness Month encourages the public and industry to understand the importance of cybersecurity and to be vigilant when it comes to the technology we rely on every day, including helping patients remain confident in the safety of their medical devices.
Many medical devices are “life critical systems”—meaning they play a crucial role in monitoring and protecting human life. As more and more of these systems use technology to interconnect, we must be dedicated to securing them from hackers and cyber-attacks.
Here at FDA, we work with hospitals, health care professionals, and patients to provide medical device manufacturers with guidance for monitoring, identifying, and addressing cybersecurity vulnerabilities in their devices before and after they have entered the market. To further counter threats, FDA has been making a deliberate effort to work with outside groups—including those we have previously not engaged with—such as security researchers.
This outreach has allowed our guidance to evolve. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also be proactive and on guard for potential vulnerabilities and emerging threats throughout the lifecycle of devices, and be prepared to devise solutions—points made in FDA’s draft guidance on postmarket medical device cybersecurity, issued in January 2016.
A life cycle approach requires creating, evolving, and maintaining a comprehensive cybersecurity risk management program starting from early product development and extending throughout the product’s lifespan. A key component of such a program is what should be done after a product’s potential risks and vulnerabilities have been identified. A life cycle approach should include manufacturers collaborating with entities that discover threats or vulnerabilities to a medical device’s cybersecurity in order to understand and assess the identified risks. It should also include manufacturers developing appropriate solutions prior to the vulnerabilities being publicly disclosed, which is an added protection for patients.
But, our work alone won’t achieve safety if all stakeholders do not recognize and remain vigilant against potential threats. Medical device manufacturers, government agencies, health care delivery organizations, health care professionals, and patients all share this responsibility.
In recognition of this shared responsibility, FDA has entered into a partnership with the National Health Information Sharing and Analysis Center (NH-ISAC), and the Medical Device Innovation, Safety, and Security Consortium (MDISS) to foster rapid sharing of medical device vulnerabilities, threats, and mitigations within the hospital and health care ecosystem. Doing so will help to proactively address cybersecurity threats and vulnerabilities that may impact patient safety.
Digital connections provide great power to innovate—and security must keep pace with that innovation. Safeguarding our sector’s—Healthcare and Public Health (HPH)—critical infrastructure therefore includes first identifying, and then addressing previously unforeseen medical device cybersecurity vulnerabilities. As National Cybersecurity Awareness Month rolls on, we encourage everyone to be aware, vigilant, and committed to upholding and strengthening cybersecurity. Through a joint approach encompassing the public and several government agencies, we are beginning to see the necessary change in culture within the medical device ecosystem, accompanied by progress in the management of medical device cybersecurity. FDA’s January 2016 workshop “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity” highlighted some of the progress that has been made. Moreover, recent examples of coordinated vulnerability disclosure between medical device manufacturers and security researchers demonstrate the promise of partnership in addressing medical device cybersecurity. But there is still work to be done, and we must remain committed to working collaboratively to address our goal of protecting the public health.
For more information about National Cybersecurity Awareness Month including tips on cyber safety, visit the Stop.Think.Connect.™ campaign website. You can also find more information about medical device cybersecurity on FDA’s Center for Devices and Radiological Health web page.
Suzanne B. Schwartz, M.D., M.B.A., is Associate Director for Science and Strategic Partnerships at FDA’s Center for Devices and Radiological Health