News Feature | October 14, 2014

FDA Finalizes Recommendations For Mitigating Cybersecurity Risks

By Megan Williams, contributing writer

OpenFDA

The agency is holding a workshop that will cover ways in which government, medical device developers, hospitals, cybersecurity professionals, and others can collaborate to improve the state of security and protect public health. Interested parties must register by must register online by 4 p.m., October 14, 2014.

The FDA has issued a new set of recommendations that will impact any dealings you have with clients around medical devices and data security.

The agency has been concerned about healthcare’s vulnerabilities around healthcare data in relation to medical devices and software that are used to access patient data. This isn’t without good reason. According to the agency, “as medical devices become more interconnected and interoperable, they can improve the care patients receive and create efficiencies in the healthcare system. Some medical devices, like computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.”

The Concerns

The agency’s concerns include the following:

  • malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data
  • unsecured or uncontrolled distribution of passwords
  • failure to provide timely security software updates and patches to medical devices and networks
  • security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network

The agency, according to Tech Times, wants to encourage manufacturers and developers to make security considerations a key component of design and to create plans that detail how software would be patched if a device or program becomes vulnerable to malware or another security threat. The FDA also claims that the newly issued guidelines are not reactionary and are instead a preventative measure.

“The FDA has neither an indication that specific devices or systems have been purposely targeted, nor reports that any patients have been harmed as a result of cybersecurity breaches, but remains concerned about device-related cybersecurity vulnerabilities and their potential to adversely impact public health.”

The Guidance

The final guidance titled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; Guidance for Industry and Food and Drug Administration Staff; Availability” was issued on October 2 and is a result of the FDA working closely with other federal agencies, along with the device industry to communicate vulnerabilities to stakeholders. The agency, according to the Federal Register, is also planning on holding a public workshop this fall that will cover ways in which government, medical device developers, hospitals, cybersecurity professionals, and others can collaborate to improve the state of security and protect public health. Interested parties must register by must register online by 4 p.m., October 14, 2014.

Copies are available via download, or by electronic request to CDRH-Guidance@fda.hhs.gov.

Recommended Reading

Capitalize On The Growing BYOD Security Threat” discusses the challenge of helping your customers fit mobile devices into their IT environments in secure ways, while creating additional revenue streams for yourself.