While new cybersecurity guidance from the Food and Drug Administration recognizes the responsibility for keeping medical device data secure is shared among stakeholders, it also offers several steps manufactures should take to prevent potential security incidents.
The guidance recommends manufacturers consider cybersecurity during the design process and identify ways the device can be safer without impeding functionality. Medical devices should also have features that allow makers to detect cybersecurity issues once they are in use, and makers should have a plan to handle such occurrences. The guidance also suggests manufacturers' premarket submissions include documentation of any known or possible cybersecurity risks associated with a device.
"There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, MD, director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health. "It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks."
The guidance comes as new evidence suggests medical devices may be particularly vulnerable to cyberattack. In June, Scott Erven, manager of information security at Duluth, Minn.-based Essentia Health, presented research showing how medical devices may be easier to hack than many hospitals or health systems realize.
More articles on cyberattacks:
GAO finds HealthCare.gov still not fully secure
Aventura Hospital and Medical Center reports breach affecting 82k patients
25 years of health IT: 30 findings on changing perspectives