The FDA announced that it has finalized its guidance on managing cybersecurity risks as it aims to protect patient privacy and prevent devices from malfunctioning due to computer viruses.
"There is no such thing as a threat-proof medical device," said Dr. Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health. "It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks."
The agency's cybersecurity concerns include viruses on network-connected medical devices or computers, smartphones, poorly secured and controlled passwords, failure to upgrade software on medical devices and networks and vulnerabilities in off-the-shelf software, according to the release.
The final guidance has not yet been published but will be available Oct. 2 via the Federal Register. And the agency will hold a workshop Oct. 21-22 in collaboration with the Department of Homeland Security to discuss potential threats and ways to beef up cybersecurity. The meeting will include medical device manufacturers, cybersecurity researchers and government officials, and will touch on themes such as the interconnectivity of medical devices, developing a shared risk-assessment framework and developing tools and shared standards to build a comprehensive cybersecurity program.
Meanwhile, HealthIT Security reports that the FDA's device arm in August partnered with the nonprofit National Health Information Sharing & Analysis Center to share information about the latest threats and develop a risk assessment framework.
Cybersecurity scares were made real last summer when Department of Homeland Security researchers uncovered a hard-coded password vulnerability affecting about 300 medical devices, including surgical and anesthesia devices, ventilators, external defibrillators and patient monitors. That lead to the issuance of an alert saying, "The affected devices have hard-coded passwords that can be used to permit privileged access to devices such as passwords that would normally be used only by a service technician. In some devices, this access could allow critical settings or the device firmware to be modified."