FDA Seeks Collaboration on Medical Device Security

The U.S. Food and Drug Administration (FDA) on Tuesday put out a call for ideas and input on how best to secure medical devices and the healthcare system from cyber attack.

The FDA is calling for private and public sector collaboration to address medical device security.
The FDA is calling for private and public sector collaboration to address medical device security. (Image courtesy of Google.)

In a federal notice, the FDA announced that it will hold an October workshop entitled “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.” It also solicited input from stakeholders within the government and from the public health sector on medical device and healthcare cyber security.

The workshop is scheduled for October 21 and 22 and will run from 9:00 AM to 5:00PM at the National Intellectual Property Rights Coordination Center Auditorium in Arlington, Virginia.

link_scaled [Read more Security Ledger coverage of connected medical devices here.]

The Department of Health and Human Services (HHS) is looking for ideas about how best to implement aspects of both Executive Order 13636 for“Improving Critical Infrastructure” and follow-on guidance like the National Institute of Standards and Technology’s (NIST’s) “Framework for Improving Critical Infrastructure Cybersecurity.” HHS is responsible for adapting the framework to the public health sector. A top priority is agreeing on terms to talk about information security risks in the context of healthcare.

“Developing a common lexicon is critical to this public-private collaboration to address and manage medical device cybersecurity risks,” the FDA notice said.

Information security risks are real enough for the medical and healthcare fields. Consumer device makers like Apple and Google are both pushing into the health and wellness space. The Department of Homeland Security has warned that wireless-enabled medical devices could be subject to remote attacks.

“If exploited, cyber vulnerabilities may result in medical device malfunction, disruption of healthcare services including treatment interventions, inappropriate access to patient information, or compromised electronic health record data integrity,” the FDA warned. “As devices become more connected and interoperable, the threat potential increases.”

The FDA believes that, as medical devices become more interconnected, the security problems created by that connectivity become more complex and impossible to solve in isolation. Addressing medical device cyber security means “designing healthcare systems for seamless integration,” FDA said.

The FDA says topics worth discussing include information sharing within the medical field and the creation of a shared risk-assessment framework,
identifying cyber security gaps and challenges, especially in legacy devices, identifying and tapping technical subject matter experts and developing medical device benchmarks for security.

The Department of Health and Human Services and the FDA can’t be accused of having a closed-door policy when it comes to the issue of (cyber) security and the growing population of IP-enabled medical devices. HHS identified the security of mobile and networked medical devices a top priority in 2014. The FDA has also issued guidance to medical device makers and hospitals that use their products to pay more attention to cyber security and the potential for cyber attacks on vulnerable medical instruments.