The Food and Drug Administration ("FDA") recently announced that it will be hosting a public workshop on October 21 and 22, 2014, in Arlington, Virginia, entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity."

Officials from FDA, the Department of Health and Human Services ("HHS"), and the Department of Homeland Security ("DHS") will bring together medical device manufacturers, insurers, cybersecurity researchers, trade organizations, government officials, and other stakeholders to discuss the numerous challenges faced in medical device cybersecurity.

CDRH OFFICIAL: BE AWARE OF DEVICE RISKS

On September 23 and 24, 2014, the National Institute of Standards and Technology ("NIST") and the Department of Health and Human Services Office of Civil Rights ("HHS OCR") hosted their annual HIPAA conference "Safeguarding Health Information: Building Assurance through HIPAA Security

In her presentation "Medical Devices: A Practical Guide for Securing Patient Data", Dr. Schwartz, from the FDA Center for Device and Radiological Health, emphasized the need for a collaborative approach in the medical device ecosystem to ensure security. Because most of the millions of hospital discharges, hospital outpatient visits, physician office visits and prescriptions in the US involve networked medical devices, Dr. Schwartz indicated that securing these devices is of the utmost importance for both regulatory and practical purposes.

MEDICAL DEVICES HAVE INHERENT VULNERABILITIES

Dr. Schwartz noted that as medical devices become increasingly connected through wireless and wired networks, it is critical to ensure adequate controls are in place on the network. Computers, wireless and mobile devices, and the medical devices themselves can be infected or disabled with malware. Security vulnerabilities also exist in the form of sharing of passwords, lack of proper training for personnel, and failure to update and patch software on the network.

Several medical devices have already been compromised in the past few years. For example, researchers demonstrated in 2013 that about 300 medical devices from around 40 vendors contained hard-coded passwords, making them highly vulnerable. In 2011, a hacker presented his findings related to his own insulin pump, which could easily be compromised and the pump's levels remotely changed to a lethal dose.

FDA OFFERS STANDARDS, GUIDANCE

FDA has recognized standards for cybersecurity and interoperability as well as wireless technology in medical devices. Additionally, on October 2, FDA released final guidance, on the content of premarket submissions for medical device cybersecurity.  Those of you who are familiar with the draft guidance should note that the final guidance is substantially similar to the draft guidance with some additional emphasis on balance, emphasizing that security should not unreasonably limit the ability to use a device in emergency situations.

For those who are not familiar with the draft guidance, the final guidance describes the information that manufacturers should include in their premarket submission.  It recommends medical device manufacturers consider the following as part of their cybersecurity activities:

  • Identify and protect by limiting access to trusted users and ensuring trusted content;
  • Implement features to detect security compromises
  • Inform the end user about the appropriate action to take if a security compromise is detected
  • Protect critical functions, even in the event of a security compromise

Device stakeholders would do well to review these documents and ensure that they understand the steps they should take to meet these standards and comply with the HIPAA Security Rule.

WHAT STAKEHOLDERS SHOULD DO

There are a number of good steps which can be taken to reduce risk. Properly training all personnel is critical to avoid loss of devices, phishing attacks, and more. Ensuring that software is always the most up-to-date version is an easy and important measure to improve security. Additionally, segregating network functions will ensure that any compromise will not affect the entire universe of networked devices. New devices and software should be thoroughly inspected for potential security vulnerabilities before adding them to the network.

On top of those steps, healthcare entities should conduct regular risk assessments and network security audits. Crafting policies to comply with standards such as ISO-27001, COBIT 5, or the HITRUST Common Security Framework is a must.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.