FDA to Address Security Issues and HIPAA Compliance of Older Medical Devices

The FDA is to take action to address problems relating to the cybersecurity of medical devices following complaints from hospitals and healthcare providers that manufacturers of the devices are not being proactive in providing protection against cyber attacks. There has also been criticism of the makers of medical equipment for failing to upgrade older models, meaning threats remain or new equipment must be purchased.

The FDA has already commenced a drive to build a more strategic and comprehensive cybersecurity program and has been running workshops to hear about security risks and concerns. The Agency is determined to get manufacturers to build in security controls rather than bolt them on afterwards and is in the process of finalizing its guidelines on pre-market approval procedures, which were first issued in the summer of 2013.

The FDA director of Emergency Preparedness/Operations and Medical Countermeasures, Suzanne Schwartz, has stated that new guidance will be released imminently.

Debunking Myths

There is a common misconception that makers of medical devices have to obtain FDA approval and therefore cannot upgrade their products without considerable bureaucracy, which is not the case. Schwartz has stated that it is not a requirement to involve the FDA before implementing improved cybersecurity measures and a new submission does not need to be made to the FDA.
A “Collaborative Approaches for Medical Device and Healthcare Cybersecurity,” workshop was run in Washington D.C to assist device manufacturers and to hear their concerns. The FDA is now due to finalize its findings and to make its stance clear.

There has been a shift from viewing cybersecurity in terms of responding to incidents to a more proactive approach in recent months and cybersecurity threats must be considered throughout the entire lifespan of a product and manufacturers must incorporate the appropriate safeguards into product design.

The FDA understands that cybersecurity is a problem faced by everyone which calls for a collaborative approach to address all the issues. It believes health care providers and device manufacturers should work together to solve problems. The government will also be involved in the process of developing workable long term solutions to cybersecurity threats.
In June 2013, the FDA published the “Safety Communication: Cybersecurity for Medical Devices and Hospital Networks” , in addition to the first draft of its pre-market submission guidelines, specifically addressing device manufacturers and alerting them to cybersecurity risks that it was aware existed.

Manufacturers Must Address Security Risks

When the first draft of the guidance was issued there was concern raised by security experts that manufacturers were being issued with a warning, but that little was being done to hold these companies accountable for any breaches in security. Schwartz addressed this concern in a recent talk and made the FDA’s position clearer. She explained that the guidance was a starting point and told manufacturers that gaining FDA approval would involve an assessment of the security of a device, and that this would be considered as an integral part of the product’s effectiveness and safety.

As such, manufacturers would be required to take proactive steps to ensure appropriate security controls and measures are implemented in order for premarket submissions to be considered. It is no longer acceptable for cybersecurity measures to be bolted on after product release; they must be an integral part of the design process.

The FDA was forced to take a new approach due to the number of incidents involving data theft and loss involving medical devices though to previously have been low risk, in addition to known high risk devices. A thorough assessment of vulnerabilities was essential due to the high volume of data stored on networked medical devices, and there was a clear need for standards to be implemented to ensure security for the lifetime of a product.
The emphasis is now on manufacturers, although risks do exist in a healthcare setting and training on security risks must be provided and controls implemented on what is uploaded on a network.

External Help Sought by the FDA

The FDA has been working hard to improve understanding of cybersecurity and has sought advice from a number of security experts to address threats affecting devices; from purchase to decommissioning and replacement. Weekly focus group meetings have involved research, development, post market analyses, response to emergencies and biosurveilance. Additionally, the FDA has formed a cyber incident response team in collaboration with Homeland Security.

The October workshop organized by the FDA focused on identifying holes in security and working together as a community to address those issues.

The FDA sought input in five key areas in the run up to the workshop:

• How partnerships can be established to mitigate cyber threats specific to medical devices and their vulnerabilities and to quickly identify, assess and communicate security issues.
• Methods that can be adopted by the stakeholder community and incentives than can be used to improve sharing of information relating to cybersecurity
• Whether stakeholders are aware of the Framework for Improving Critical Infrastructure Cybersecurity and how this can be adopted to meet the cybersecurity needs of both the private and public sector in relation to medical devices.
• How to achieve the right balance between sharing and restricting access to data
• How to incentivize innovation in the HPH sector and move beyond HIPAA compliance, how to improve medical device security and the lessons that have been learned from previous case studies and security breaches.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.