In recent years, researchers have demonstrated the potential threat of medical device and healthcare system hacking. They have been able to tamper with pacemakers, insulin pumps and other devices, which, if hacked, could cause serious harm, including death, to a patient. Recently, the FDA identified cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and the corresponding Merlin@home Transmitter. These vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. While no patients were harmed, this serves as a warning that similar devices containing configurable embedded computer systems can be vulnerable to cybersecurity intrusions and exploits, as well.
To address these technological risks, in December 2016, the FDA finalized the guidance, “Postmarket Management of Cybersecurity in Medical Devices.” In reference to the guidance, Suzanne B. Schwartz, M.D., M.B.A., FDA’s Associate Director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health stated that, “manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.” The new guidance embraces this approach, encouraging manufacturers to consider cybersecurity throughout the total product lifecycle of a device. This means manufacturers should implement a comprehensive program to manage cybersecurity risks, including:
- A method to monitor and detect cybersecurity vulnerabilities in their devices
- Understanding, assessing and detecting the level of risk a vulnerability poses to patient safety
- Establishing a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)
- Deploying mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm
In addition, the FDA recommends that manufacturers consider applying the National Institute of Standards and Technology’s (NIST) core principles for improving critical infrastructure cybersecurity: to identify, protect, detect, respond and recover. The FDA is also encouraging manufacturers to share information about potential breaches for enhanced security for all medical device manufacturers.
So what does this mean for you? It means that it is your responsibility to consider potential security threats to your device, and their impact, throughout the entire lifecycle of the device. Cybersecurity must become part of your overall risk management, to ensure that your product is performing as intended with as many patient protection safeguards in place as possible.
MethodSense can help you manage these risks and develop the necessary operational practices you need to maintain safety and compliance for your medical device. Get in touch today to find out how.