The FDA steps up efforts at bringing about medical device cyber security

It is a disturbing, but true fact that medical devices are hacked. Medical devices have inbuilt software, and hackers try to breach this. Medical device cyber security is thus critical, because lack of it can bring harm to patients who use medical devices that come with software built into them.

An important factor that makes medical devices vulnerable to cyberattacks, thus triggering and hastening the need for medical device cyber security is that many times, medical devices are not standalone devices. They are connected via the Net to a number of important sources such as hospitals, electronic records and healthcare providers.

This fact makes it easier for hackers to carry out cyberattacks on medical devices because it is not necessary for them to actually have access to the device to carry out their breach. All these factors combine to make medical device cyber security a much needed system.

The FDA guideline of June 2013

Keeping in mind the nature of fallibilities in a medical device; the FDA, with the intention of bringing about medical device cyber security passed the draft guideline on this topic in mid-2013. Titled the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; this guideline sought to address the issue of medical device cyber security by making an attempt at identifying the issue from its root.

That is, this guideline on medical device cyber security put in place security checks and procedures that manufacturers of medical device have to put in place right from the earliest stages of manufacture, going all the way up to the time it is implanted in or used by the patient.

The main intention of this FDA medical device cyber security guideline is to offer recommendations that medical device manufacturers need to take to reduce the intentional or unintentional risk of an attack on a medical device. This FDA guideline seeks to enforce medical device cyber security by ensuring that the manufacturers take steps to secure medical devices by clearly defining medical device cyber security.

Terms clearly defined

The FDA defines medical device cyber security as steps taken to prevent any of these:

• Unauthorized modification
• Misuse of the device
• Denying the use of the device
• Unauthorized use of the information that is stored in these devices. This relates to the information stored, accessed and modified when the device is transferred from one source to another

Documentation is at the heart of ensuring medical device cyber security

Towards ensuring medical device cyber security as defined by it; this FDA guideline requires manufacturers to monitor and document all the aspects of medical device cyber security at all stages. Medical device manufacturers should bring about medical device cyber security by developing a set of controls in three vital areas:

• Firstly, medical device manufacturers should take steps to permit only authorized personnel into the software of the medical device
• Medical device manufacturers should also ensure medical device cyber security by filling only relevant and accurate data into the device
• They should also ensure that data is available when asked for

Controls, controls, controls

A very important aspect of medical device cyber security that the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices brings about is that it requires medical device manufacturers to monitor and document all the possible potential for medical device cyber security breach from the design stage itself.

Medical device manufacturers have to also bring to the notice of the FDA whenever they make changes related to security at the premarket notification stage. It seeks to fortify medical device cyber security by requiring medical device manufacturers to provide information relating to medical device cyber security by submitting data related to the following: