FDA Announces Strengthened Focus On Cybersecurity

ABSTRACT: In an October 2, 2018 statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA announced its efforts to strengthen its medical device cybersecurity program in order to protect patients from medical device vulnerabilities and emerging threats to those devices.

CYBERSECURITY. In a statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA made clear the threat of cybersecurity attacks are no longer a theoretical discussion, but are present and as such steps must be taken to proactively address future threats. Such attacks are already here in other capacities, including attacks on financial institutions, government agencies, and health care systems. 

The FDA’s specific concerns revolve around attacks on patient medical devices. Cybersecurity researchers have found various vulnerabilities in patient medical devices that could result in bad actors gaining access and control over the patient’s medical device.   While “FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” the “risk of such an attack persists.” As a result, in an effort to instill confidence in both patients and providers that it can effectively address any reported medical device cyber vulnerabilities, the FDA has determined that it is important to address such a threat of an attack now.

In taking such proactive steps, the FDA announced it has coordinated with the MITRE Corporation to launch a cybersecurity “playbook” for health care delivery organizations, along with the “signing of two significant memoranda of understanding.” A “sneak peek” at the playbook shows it addressing the types of readiness health care delivery organizations should consider in order to be better prepared and address cybersecurity incidents involving their respective medical devices. The memoranda, among other actions, created such groups as information sharing analysis organizations, which are groups of experts (aimed to include manufacturers who share potential vulnerabilities and threats) that gather, analyze and disseminate important information about cyber threats.  

The FDA’s work in addressing cybersecurity threats dates back to 2013 with the establishment of its medical device cybersecurity program. The FDA has issued a premarket and postmarket guidance for manufacturers to consider in addressing their cybersecurity vulnerabilities and threats. While the FDA’s premarket guidance was finalized in 2014, it announced in this statement that it plans on publishing a “significant update to that guidance to reflect the FDA’s most current understandings of, and recommendations regarding, this evolving space.” One such example included providing customers with a list of cybersecurity bill of materials to ensure that device customers and users are able to respond quickly to potential cybersecurity threats. 

Finally, the FDA is taking steps to bring additional resources to build its medical device cybersecurity program, starting with its Fiscal Year 2019 Budget in order to establish additional “regulatory paradigms” to proactively address vulnerabilities and threats.

Be on the lookout for a future discussion of the FDA’s collaborative “playbook” with MITRE, as well as a posting on the FDA’s “significant update” to its 2014 premarket guidance.

For immediate, additional information about addressing cybersecurity breaches in medical devices, visit our prior posts addressing cybersecurity:

• Three-part series on addressing cybersecurity breaches in medical devices: Part I, Part II, Part III;
• Four-part series addressing postmarket management of cybersecurity in medical devices: Part I, Part II, Part III, Part IV.