By QA Consulting, Inc.
With the rising demand for connected medical devices, understanding your products’ potential vulnerabilities and the evolving regulatory landscape is essential. Manufacturers must be proactive about building cybersecurity into the design of their products to remain competitive.
In February of this year, the FDA announced the appointment of Kevin Fu as Acting Director of Medical Device Cybersecurity at the Center for Devices and Radiological Health (CDRH). In this newly created position, Fu will help ensure the safety and effectiveness of medical devices by protecting them from digital security threats.
Ready to start addressing cybersecurity vulnerabilities in your medical devices but not sure where to begin? Our recommendation is to understand the Myths and Facts regarding the FDA’s role in Medical Device Cybersecurity. A risk assessment can be used to identify potential vulnerabilities and prioritize cybersecurity in future risk management strategies.
Read on to learn more about:
- Product vulnerabilities
- Industry standards and guidelines
Existing and Emerging Vulnerabilities
Medical device cyberattacks can also be a threat to patient safety.
A wide variety of products may be vulnerable to security breaches, including pacemakers, insulin pumps, and remote patient monitoring devices.
Any medical device that utilizes software, connects to the internet, or accesses the cloud to share data must take the threat of cybercriminals seriously. Even if it’s only a minor component or feature of your device, it’s a weakness that must be addressed in your risk management plan.
Further, most healthcare systems lack the security professionals and resources to track the inventory of connected devices and the data being shared within their networks.
The COVID-19 pandemic has only exacerbated the situation by accelerating the adoption of connected devices and sharing personal health information over unsecured networks as an easy alternative to in-person visits.
Standards and Regulatory Guidance
In response to the need to mitigate cybersecurity threats, updates to medical device risk management standards have reflected the evolving technology landscape.
Below is a sampling of the industry standards and guidance medical device manufacturers should look to for developing cybersecurity-driven risk management strategies:
- ISO 14971 specifies the terminology, principles, and process for risk management of medical devices, including quickly evolving medical device software products.
- IECTR/80002-1:2009 provides guidance on the application of ISO 14971 to medical device software.
- AAMI TIR57 offers guidance on information security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971.
- AAMI TIR97 builds on the framework provided in TIR57 and offers tenets for the postmarket management of medical devices.
Medical Device Cybersecurity Resources
Trusted sources for reliable and up-to-date cybersecurity include:
- FDA’s Digital Health Center of Excellence
- Medical Device Innovation Consortium
- Advanced Medical Technology Association (AdvaMed)
- MITRE Medical Device Security Playbook
Guidance on how to address cybersecurity threats and vulnerabilities in the medical device industry is quickly evolving. Refer to the FDA Cybersecurity Guidances for the most up-to-date information.