What Healthcare Professionals Should Know About the FDA and Medical Device Security

Medical devices become more common every day. Apple recently released their Health app and their Health Kit app tools for developers to make their Apple Watch more compatible with other aftermarket medical monitoring devices.

The problem with networked medical devices, though, is the same problem that all networked systems face — the possibility that the system could get hacked and protected health information could fall into the wrong hands. The FDA is taking steps to ensure the security of these medical devices.

What should healthcare professionals know about the FDA and their plans to improve medical device security?

A Cybersecurity Playbook

The FDA laid out a four-step plan to improve the security of networked medical devices in the near future, in honor of National Cybersecurity Awareness Month which started October 1.

The first of these steps required a partnership with a nonprofit called Mitre Corp. This playbook is designed to help hospitals and healthcare professionals improve their own internal cybersecurity and get ready for internal and external medical device integration.

The playbook breaks down the FDA approved protocols for things such as medical device inventory and how to train employees to improve cybersecurity across the board.

New Rules for Information Sharing

The FDA is also working on new rules for information sharing when it comes to private patient information and cybersecurity. This step will bring together all medical device makers and create a think tank to assess potential security vulnerabilities. Another team will work with government agency collaborations, such as Homeland Security, to improve information sharing protocols at a federal level.

Premarket Guidance

This step actually got finalized in 2014, but in October 2018, the FDA released an additional packet for this program that focuses specifically on the cybersecurity of medical devices. This will include a list of both commercial and privately created software and hardware that could contain cybersecurity vulnerabilities to improve the security before the devices hit the market.

Dedicated Cybersecurity Resources

As part of the 2019 budget, the FDA is planning on including additional funding to support a full-time cybersecurity department for medical devices. This department will also focus on healthcare software and digital health apps such as the new Apple Health. Many private companies are already working toward improving regulatory compliance, but at this point, these companies are working on their own without additional FDA funding.

Healthcare Impact

While these all seem to be a step in the right direction when it comes to medical device security, what sort of impact will this have on the healthcare industry as a whole?

On the development side of things, it will add some additional steps for both software and hardware developers. Developers will need to get approval from the FDA to install a software patch if it changes the use of the software or any of the core components. The only exception to this will be if the medical facility has enough in-house resources to maintain their software independently.

The new task force that the FDA is planning on creating in the 2019 budget is also going to foster collaboration between hardware and software developers, with the goal in mind of creating new devices that are secure and safe to use for patients and users across the country.

It will, hopefully, also provide the FDA and healthcare providers with the tools to more quickly respond to cybersecurity breaches to prevent the kind of downtime that occurs after a breach.

The WannaCry attack took a number of National Health Service facilities offline when their computers were infected with ransomware — an attack that they had been warned about for more than a year before it occurred. Simple steps such as upgrading from a Windows XP operating system, which Windows stopped supporting in 2014, could have prevented the attack from even happening.

Steps in the Right Direction

These are excellent steps in the right direction, especially with more medical devices debuting on the market than ever before — and many of them are designed to function as a mobile equivalent of professional medical devices.

It’s a good thing that the FDA is taking a closer look at the cybersecurity of medical devices. While it might create a few new hoops to jump through for medical professionals, it will give them a new way to protect their patients and their healthcare information.

Image by Pixabay