Medical device makers must increasingly seek guidance on security given the growth in threats and regulatory scrutiny on controls to address them.
For five days in July 2018, someone hacked the email account of an employee at cancer-testing startup Guardant Health and stole information that included names, Social Security numbers, birthdates, and medical diagnosis codes. The breach, involving about 1,100 patients, came to light when the company filed for its initial public offering with the Securities and Exchange Commission.
In 2015, the FDA warned that a networked infusion pump was vulnerable to being accessed and controlled by unauthorized users. Concerned that attackers could harm patients by altering their medication dosing, the agency warned healthcare facilities to discontinue its use.
The National Institutes of Health says 40 percent of IoT-linked devices will be health-related, more than any other category. A 2015 KPMG cybersecurity survey of providers and health plans reported that four in five healthcare organizations had been attacked in the preceding two years, and only half felt adequately prepared to fend off a future assault.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
Two years later, things had not changed much. The KPMG 2017 Cyber Healthcare & Life Sciences Survey reported a dramatic rise in computer system breaches and data compromises since the 2015 study. Still, 43 percent of respondents had not increased their cybersecurity spending.
In September 2018, the U.S. Department of Health and Human Services issued its own warning on medical device security. “Cybersecurity threats to networked medical devices are on the rise,” the report said.
Specifically, HHS recommended that device makers and the FDA conduct presubmission meetings to better address cybersecurity-related questions, that the agency include cybersecurity questions as an element of its template for 510(k) premarket notification submissions and that the FDA begin requiring cybersecurity documentation elements on its refuse-to-accept checklists.
The FDA concurred with all three recommendations and is taking steps to implement them. The agency also recommends that manufacturers include the following in their submissions for networked devices:
- A hazard analysis listing cybersecurity risks considered and controls built into the device
- A traceability matrix linking the cybersecurity threats and controls
- The manufacturer’s plans for validating and updating device software
- A description of controls in the software supply chain
- Device instructions and recommended cybersecurity controls, such as antivirus software, appropriate for the intended user
Much of the thinking and guidance on the security of networked medical devices is relatively recent and still evolving. FDA reviewers increasingly request additional cybersecurity documentation from manufacturers when performing premarket reviews.
Date: October 23, 2018
Source: EE Times