FDA’s Center for Devices and Radiological Health (CDRH) holds a meeting to discuss the risks and threats of cybersecurity in medical devices. They describe the unique challenges involved with security and how difficult it is to identify vulnerabilities.
The Threat
This issue is extremely important given how much technology has evolved over the past two decades and how increasingly reliant we are, as a society, on the internet and wireless networks.
Cybersecurity threats have become more frequent in healthcare as time goes on since a lot of devices are now connected to the internet. This is why, on September 10th, there was an advisory committee meeting to discuss these issues. The FDA is discussing security threats with many professionals such as health care providers and medical device manufacturers in order to reduce risk and maintain the health and well being of patients.
Cybersecurity threats could:
- Delay treatment
- Risk the health of the patients by outside parties exploiting device vulnerabilities
- Lead to privacy issues where patient information is leaked to the world
Mitigating Risks
In order to reduce security threats, the FDA wants devices to be “patched and updated” if any issues arise, guaranteeing that the risks were identified and fixed. They understand that manufacturing devices with absolutely no flaws are hard to do, so it’s best to update medical devices and their software often.
There is also a draft guidance available, issued in October 2018, which goes into details on security management for premarket submissions of devices. This involves the design, labeling, and documentation.
The FDA’s guidance discusses ways in which manufacturers should design both their devices and software in order by identifying and assessing threats as well as understanding the likelihood and threat level as well as how to counter these risks.
They want devices to:
- Require user authentication and use security systems (such as passwords or cards) to limit use from unauthorized individuals
- Have a strong password protection system
- Deny permission to use the device by default
- Verify integrity of incoming data, and protect the integrity of the data stored in the device
- Permit tracking and control of software changes
- Detect and notify of any issues
There are many more requirements and recommendations in their draft guidance. If you would like more details, click here.
How RegDesk Can Help
Although this guidance has not been finalized, cybersecurity issues are important to consider if your company produces medical devices. RegDesk keeps track of and provides the most up-to-date information on guidances and regulatory news for companies. We make it easy for medical device and pharmaceutical companies to understand worldwide regulatory changes by notifying them whenever one occurs to save the time and effort on their part by looking for this information themselves.
