Globally healthcare regulators have identified cyber security as a key issue for medical devices such as infusion pumps, implantable pacemakers, cardiac defibrillators and telemetry heart monitors. Experts and regulators worldwide are focused on reducing device vulnerability and mitigating risks of hacking and malware attacks.
AdvaMed has recently praised the U.S. FDA for its proactive leadership and for working collaboratively with the MedTech industry and the broader healthcare community in the cybersecurity space.
Ensuring medical devices are shielded from cybersecurity threats is, in the words of the U.S. Food and Drug Administration, a “shared responsibility” among all stakeholders.
Medical technology companies, hospitals, physicians, IT professionals, providers, regulators and patients all need to work together so that the safety and integrity of interconnected medical devices – everything from pacemakers and ICDs to monitors and infusion pumps – is not compromised due to cyber threats.
No one takes this responsibility more seriously than America’s medical technology companies, for whom patient safety is the #1 priority. Unfortunately, little is known or understood about the extensive work medical technology manufacturers have done and are doing to address this potential threat.
Medtech companies continuously assess the security of their devices in a world where the risks continuously evolve. They address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment, maintenance and disposal of the device and associated data.
Similarly, manufacturers implement proactive measures to manage medical device cybersecurity, including but not limited to routine device cyber maintenance, assessing post-market information, employing risk-based approaches to characterizing vulnerabilities, and timely implementation of necessary actions. These requirements are a matter of law, as FDA has in place comprehensive regulations prescribing these risk management programs, and manufacturers face severe penalties for failing to follow the rules.
But addressing this issue goes beyond an individual company’s merely meeting current regulations. Cybersecurity is ever-evolving, and the medical technology industry recognizes that it must constantly evolve to meet potential threats. That’s why we collectively developed our own set of medical device cybersecurity principles. These principles ensure device manufacturers build a cybersecurity program based on the best available information, such as FDA guidance, NIST publications, and consensus-based standards.
Our industry also recognizes that cybersecurity threats require the cooperation and collaboration of multiple stakeholders in the health care ecosystem. And that’s why we have committed to working with regulatory agencies, industry partners, health care providers and others to address this challenge to ensure that everyone takes this threat as seriously as we do.
FDA is to be commended for the proactive leadership it has taken in recent years when it comes to cybersecurity. The Agency has worked collaboratively with our industry and the broader health care community to ensure medical device cybersecurity is considered and addressed throughout all stages of product design and use. While manufacturers have long included cybersecurity considerations in premarket development and postmarket surveillance, the Agency’s detailed guidance on these issues has provided important instruction and clarification for medtech companies. FDA should also be commended for their work engaging with other Federal agencies in their area, including DOJ, FBI, DHS and NIST.
Open communications is a key strategy in combatting cybersecurity threats. To that end, the medical technology industry has worked closely with public-private organizations – with the encouragement of FDA – to establish a medical device information sharing and analysis organization. Similar to systems successfully used in the energy and finance sectors, this program provides a streamlined mechanism for companies to submit and share information concerning cybersecurity-related issues.
However, despite manufacturers’ best efforts, many cybersecurity threats remain outside their control. Most connected devices are linked to third-party networks, such as a hospital’s IT system or a patient’s home-based Wi-Fi network. A chain is only as strong as its weakest link, so if these systems or networks are vulnerable the medical devices they are connected to are vulnerable as well.
The confluence of medical technology and communications are transforming health care, providing physicians with real-time information and the ability to remotely monitor and treat patients. Our industry is committed to doing our part to ensure this progress continues by rigorously addressing cybersecurity threats pre- and post-market. We will continue to work with FDA, health care providers, the academic community, security experts and other stakeholders to ensure the continued security, safety and effectiveness of medical devices.
Closer to home, the TGA is taking the lead in developing a strategy for cyber security of medical devices in collaboration with CSIRO and Standards Australia. The aim is to address risks associated with implantable and non-implantable devices connected to the web in an increasingly complex and interconnected healthcare system.
PulseLine understands the TGA is developing a strategy to increase stakeholder awareness of expectations regarding cyber security of medical devices across the industry. PulseLine will be asking the TGA to provide some further insights in the weeks to come.