Vaccines, preventative medicines, medical screening and the
body's own immune system are all designed to help safeguard
against health issues before they occur. If only the same
safeguards were applied in the area of cybersecurity involving
medical devices and hospital wide systems, potential liability
exposure would be greatly reduced. FDA has now posted specific
recommendations for manufacturers and hospital
organizations to follow in order to minimize cyberattacks.
FDA issued these recommendations against the backdrop of its draft
Guidance for premarket submission for medical devices and the
cybersecurity issues that accompany these submissions.
There has been an enormous increase in the development and use in
the industry of wireless, Internet and network devices. Moreover,
the interconnection of systems in the hospital setting has allowed
for the liberal exchange of health information. FDA has
"become aware of cybersecurity vulnerabilities and incidents
that could directly impact medical devices or hospital network
operations". Examples of this include, but are not limited to:
medical devices connected to networks that are infected with
malware and hospital computer systems, smart phones and other
technology where malware has infiltrated and obtained patient
information in databases, implanted devices and patient monitoring
systems. However, FDA reports that it is "not aware of any
deaths or injuries associated with these incidents".
In making its recommendations, FDA stated that "many medical
devices contain configurable embedded computer systems that can be
vulnerable to cybersecurity breaches". Moreover, FDA noted
that many devices are "interconnected" to various
networks in the hospital and thus subject to attack.
While the FDA has proposed its Guideline and recommendations,
there are no rules that a manufacturer or hospital can follow to
protect them from the significant liability that exists with a
cybersecurity breach. It is left totally in the hands of the
organization to address this issue. It is clear, however, that in
order to reduce this significant and growing risk, actions must be
taken to create and implement a cybersecurity system. At a minimum,
the FDA recommendations provide some very basic ground rules.
In its posting, FDA recommends "evaluating" the security
in network systems by:
1. Restricting unauthorized access to the network and networked
medical devices.
2. Making certain appropriate antivirus software and firewalls are
up-to-date.
3. Monitoring network activity for unauthorized use.
4. Protecting individual network components through routine and
periodic evaluation, including updated security patches and
disabling all unnecessary ports and services.
5. Containing the specific device manufacturer if you think you
may have a cybersecurity problem related to a medical device. If
you are unable to determine the manufacturer or cannot contact the
manufacturer, the FDA and DHC ICS-CERT may be able to assist in
vulnerability reporting and resolution.
6. Developing and evaluating
strategies to maintain critical functionality during adverse
conditions.
Compromising the confidentiality and integrity of the information
that is subject to cyberattack is tantamount to compromising
patient safety. Accordingly, the potential risks from cyberattacks
demand attention and a cybersecurity plan should be of the utmost
importance to manufacturers and healthcare systems.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.