Cybersecurity for Medical Devices: Who’s Accountable?
Cybersecurity for Medical Devices is on the agenda for the U.S. Food and Drug Administration (FDA) September 10, 2019: Patient Engagement Advisory Committee. PEAC will be discussing and making recommendations on the topic “Cybersecurity in Medical Devices: Communication That Empowers Patients.”
PEAC to Address Medical Device Cybersecurity
The Patient Engagement Advisory Committee (PEAC) was established by the FDA to give voice to patients. PEAC is the first and only advisory committee whose members are all patients, caregivers, and representatives of patient organizations. PEAC facilitates broader discussions of important patient-related issues. Such discussions may help inform device innovation, development, evaluation, and access. In addition, PEAC is an advisory source the FDA uses to fulfill its commitment to protect and promote public health.
The September 2019 meeting will gather recommendations from the committee which will directly address cybersecurity for medical devices. The public will have a voice on which factors should be considered by FDA for communicating cybersecurity risk and breaches to patients and the public, and how this information is shared.
Furthermore, “recommendations will also address concerns patients have about changes to their devices to reduce cybersecurity risks as well as the role of other stakeholders such as healthcare providers in communicating cybersecurity risks to patients.”
Cybersecurity for Medical Device is a Present Danger
Medical devices are connected to the internet, provider networks, and other devices. Connected devices, part of the Internet of Things (IoT), improve the quality of healthcare and the availability of real-time information to providers.
The disadvantages of IoT, of course, include cybersecurity threats to medical device software and firmware that could disrupt device functionality. It may seem unfathomable that an unauthorized user could gain access to an insulin pump that is used to measure and monitor a person’s insulin or an infusion pump that administers drug product through programmed dosages. Not only is the function of the medical device in jeopardy, but personal data can be exposed as well.
When a breach or vulnerability is detected, the impacted patient(s) require immediate notification and advisement—as do the regulators. A chain of investigation and remediation must come into play. Along the chain is a network of people from manufacturers and software developers, all the way downstream to the patient. PEAC advisement will provide much-needed feedback in the patient/provider areas.
Design Controls for Medical Device Cybersecurity
Many of us know someone, perhaps even ourselves, that benefits from the assistance of a medical device. Many devices require the use of Wi-Fi, internet, and have firmware or embedded software installed to function properly. These devices require software updates and patches throughout their lifespan. In most cases, the patch or update is available as a downloaded executable, which can make the medical device vulnerable to hackers. So, what is being done and who is doing it?
Both medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) are both responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
- Medical device manufacturers (MDMs) are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.
- Healthcare delivery organizations (HDOs) should evaluate their network security and protect their hospital systems.
MDMs are expected to implement and demonstrate appropriate design controls throughout the medical device lifecycle. This includes maintaining and including a “cybersecurity bill of materials” in the premarket submission of a medical device as well as instituting proper medical device design change control for anything that has changed post-market. As with any design input, there must also be an appropriate risk assessment and mitigation plan for software or hardware components of a medical device.
More Questions Persist
Both MDM and HDO’s are responsible for ensuring there are actionable cybersecurity mitigations in place that become part of the device design. However, the question of ultimate accountability is still on the table. Could it be the party that owns the Design History File and thus all the premarket deliverables such as Design Inputs, Design Outputs and Risk Management Plan? Could it be the service centre that manages the routine servicing of medical devices? Or will any responsibility fall on the medical device user?
Any party that plays a part in the lifecycle and distribution channel of a medical device should be part of the overall risk mitigation planning. In the end, there can only be one owner of the Design History File. One accountable party in most cases is whoever is responsible for submitting the device registration or market approval, which is commonly the MDM.
As far as solution options to manage and control the full list of design inputs, electronic quality management software (eQMS) can help. By establishing rules-driven actions, vulnerabilities found through risk assessments, postmarket surveillance, as well as other sources, are routed through a chain of investigation and resolution. IT patch surveillance can integrate with some eQMS systems, which enables patch management tracking and remediation to be included in the design history file. Should the FDA or a third-party request to see what has been done to mitigate a known software or firmware vulnerability, the system contains time-stamped and approved records to demonstrate a proactive remediation program. Demonstrable oversight of IoT devices will become a critical compliance requirement for medical device manufacturers and the time to consider best practices is now.