Being sick or injured is stressful enough in and of itself. In addition to the concerns we have for our own health, unfortunately when we seek treatment there is a real risk of suffering from the results of a healthcare provider error or other form of medical malpractice. Now, in the internet age, we also have to be concerned about cybersecurity as it applies to our medical treatment.
FDA Creates Medical Device Security Guidelines
USA Today reports that the Food and Drug Administration (FDA) has finally put guidelines in place regulating the cybersecurity of medical devices. In a press release, the FDA’s director of emergency preparadnesss/operations and medical countermeasures, Suzanne Schwartz, said, “There is no such thing as a threat-proof medical device….It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.” However, the hope is that the new regulations will help protect patients from cybersecurity threats.
What are the Cybersecurity Threats that Concerned the FDA?
Medical devices can present a few different types of cybersecurity threats. One such concern is vulnerabilities in systems that could include malware infections on medical devices that are connected to a network. That network could include computers and mobile devices that are used to access patient records, so weaknesses in the medical devices’ security systems could give access to patient information to those who exploit those who exploit those weaknesses. There are also concerns about these devices being unsecured or having passwords that are widely distributed. Updating the software on these devices could also present problems. The FDA has not released any information about any patients who have been directly injured by these sorts of problems, but the agency is concerned that these issues could arise without regulations. This issues did not used to be a big concern because medical devices were stand alone devices. However, now that they are connected to networks, they can be accessed by other devices on the network, and they can access those other devices. While this has improved the quality of medical care in many ways, it has also endangered the security of that medical care.
So What Has the FDA Done to Solve the Problem?
The FDA issued a set of recommendations to manufacturers of medical devices to solve these issues. The set of recommendations is called “Content of Premarket Submissions for Management of Cyubersecurity in Medical Devices.” Basically, this document advises companies who manufacture medical devices to take these cybersecurity issues into account when designing and developing medical devices. While the language of being “guidelines” may seem weak, in effect these guidelines are rules. The reason for that is that the FDA is also the agency that decides whether a new medical device will be approved to be marketed. So if manufacturers do not follow the guidelines, the FDA could block approval of the medical device. Of course, this does not address these issues as they relate to devices that are already approved an in operation. In the case of those devices, the responsibility will fall on health care organizations to make sure that the devices are as secure as possible.
See Related Posts: