FDA Commissioner Scott Gottlieb, MD, unveiled four steps the agency is taking to strengthen its cybersecurity program for medical devices Oct. 1.
Dr. Gottlieb highlighted the agency isn't aware of any cases in which hackers have exploited a cybersecurity vulnerability in a medical device used by a patient. However, cybersecurity researchers have warned about the potential of such attacks.
"The risk of such an attack persists … and we understand that the threat of such an attack can cause alarm to patients who may have devices that are connected to a network," Dr. Gottlieb said in a statement. "We want to assure patients and providers that the FDA is working hard to be prepared and responsive when medical device cyber vulnerabilities are identified."
In August, for example, cybersecurity company McAfee said it found a way to modify patients' heart rate data displayed on a central monitoring station.
Here are four of the efforts Dr. Gottlieb discussed Oct. 1, the first day of National Cybersecurity Awareness Month:
1. Cybersecurity "playbook." The FDA teamed up with Mitre Corp., a nonprofit that operates federally funded research and development centers, to roll out a playbook to help hospitals and health systems with cybersecurity readiness for medical devices. The playbook outlines how to develop medical device inventories, conduct training exercises among staff and take steps to reduce patient safety concerns.
2. Information sharing. The FDA will establish information sharing analysis organizations to gather and disseminate information about cybersecurity risks. One ISAO will bring together devicemakers to share information about potential vulnerabilities and emerging threats, while another project will encourage government agencies, such as Homeland Security, to develop collaborative responses to cyberthreats.
3. Updated premarket guidance. The FDA's current premarket guidance was finalized in 2014. In October, the agency plans to publish an update with new cybersecurity guidance — such as asking manufacturers to provide a "cybersecurity bill of materials," or a list of commercial and off-the-shelf software and hardware components in a device that could be susceptible to vulnerabilities.
4. Dedicated resources. The FDA Center of Excellence for Digital Health, which the agency proposed in its budget for fiscal year 2019, will support a cybersecurity unit focused on medical devices, including those that are software-based or fall under the category of digital health.
"Securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder — manufacturers, hospitals, healthcare providers, cybersecurity researchers and government entities — all have a unique role to play in addressing these modern challenges," Dr. Gottlieb said. "In this way, we can ensure the healthcare sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate."