The FDA Guide: How Medical Devices Can Be Secured

Medical devices have gone from simple bandages that help wrap up wounds to MRI machines that scan the body for organ irregularities. With increasing complexity over the last five years, these devices have come to rely on software and the Internet to assist people with more efficiency. Now that these machines are able to communicate with one another, their network is susceptible to data loss and compromise due to cyberattacks. A good example of this was the 2017 WannaCry’s ransomware attack against the UK’s National Health Service (NHS), costing them £92M to recover the data and its subsequent cleanup.

Losing confidence in their security

According to a survey conducted by KLAS and the College of Healthcare Information Management Executives (CHIME), provider organizations do not have complete confidence in the security of their medical devices. The most common reasons cited point out either a hesitation on the manufacturer’s part to update these said devices, or that patches do occur, but these take too long. As proof, the survey revealed that about 18% of the organizations who participated in the survey have experienced malware attacks on their medical devices in 2018. When these devices are out-of-date, they become vulnerable to data breaches—as most software and gadgets are when they are not properly secured. This problem is compounded by the fact that these devices have long life spans and are vital to a patient’s medical needs. This security loophole could lead to issues in the future. Medtronic, a company that manufactures pacemakers and implantable insulin pumps, admits that their devices still show a lot of vulnerabilities. Hackers can get into the computer a doctor uses to program these pacemakers and put in a new code that would send out harmful instructions to all the devices connected to it. If the insulin pump or pacemaker disables, it could lead to the patient’s death—and a healthcare provider’s lawsuit. However, health organizations are currently at a loss. On the one hand, withholding these medical tools could jeopardize their patient’s health. On the other, purchasing and using these already-vulnerable devices heighten the risk for data breaches. Where then is the middle ground?

How the FDA steps in

Back in 2014, the Food and Drug Administration (FDA) released a guidance document called the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This document tackles the list of cybersecurity risks that a company has to consider when designing a medical device, as well as the list of controls necessary for the device. The document also gives instructions and recommendations when drafting a 510(k) for submission. In 2018, the FDA updated this original content and provided revised recommendations. This includes materials, software, and hardware components that may have vulnerabilities to malware and cyberattacks. The guide is still open to additional suggestions and edits until March 2019, when the administration includes the final revisions.

Here are a few recommendations from the FDA to further protect the devices:

• Choose device manufacturers wisely. Ensure that manufacturers go through and follow the quality system regulations (QSRs) provided by the FDA.
• Have devices constantly updated. Manufacturers can and should update medical devices to improve its protection against cyberattacks. If not manufacturers, then Healthcare Delivery Organizations (HDOs) are also responsible for patching up outdated software.
• Have devices validated. When the software has been changed or updated, see to it that the manufacturers follow the validation guidelines provided by the FDA.

It is not only important that healthcare providers are made aware of the risks, but that they also are made vigilant towards medical device suppliers and manufacturers. Keeping one another accountable and informed will ultimately help save a lot of lives in the future.

We are Wilson Consulting

Our company conducts security assessment to help you identify vulnerabilities in your devices.  Our Cyber Security Assessment provides a detailed evaluation of an organization’s existing security policies, procedures, controls and mechanisms in relation to best practices and industry standards.  We provide practical actionable recommendations to address any identified risk and ensure your organization’s device exceeds FDA’s cyber security requirements.