Key facts to know about the Food and Drug Administration’s (FDA) role in medical device cybersecurity

When it comes to the cybersecurity of medical devices and the internet of medical things (IoMT), there are a lot of open questions. Given the sensitive and critical nature (sometimes life and death) of these devices, it’s not surprising that medical device manufacturers (MDMs) and operators alike want to make sure they have all the answers they need before making decisions that could impact the operations and safety of their clinical devices. 

 

The different agencies, rules, and regulations involved in governing medical devices can add to the complexity of the cybersecurity device landscape. To help you navigate this complicated environment, we will attempt to cut through some of the confusion and provide clarity on the role the U.S. Food and Drug Administration (FDA) plays in medical device cybersecurity. 

 

In general, the FDA provides pre-market and post-market guidance designed to reduce the risks of medical devices and assure their ongoing availability and effectiveness. Their site explains, “The FDA provides guidance to help manufacturers design and maintain products that are cyber secure. And on behalf of patients, the FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and solutions to address them.” 

 

I’ve noticed some misconceptions about medical device cybersecurity. While not exhaustive and certainly not finger-pointing, I think it’s vital for the BioMedical Engineering community to set the record straight and help improve the overall security of our medical devices and hospitals. The following are seven of the most commonly confused aspects of the role of the FDA in medical device security.

 

1. The FDA is the only federal government agency responsible for the cybersecurity of medical devices.     

The FDA is only one piece of the cybersecurity device puzzle. As the FDA notes, “[It] shares the responsibility with device manufacturers, hospitals, health care providers, patients, security researchers, and other government agencies, including the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and U.S. Department of Commerce.”

 

2. Cybersecurity for medical devices is optional.    

Beyond the obvious (releasing an insecure device wouldn’t be good for business), device manufacturers must comply with various checks and balances (federal regulations) when designing, building, and maintaining their products. “Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address risks, including cybersecurity risk. The pre-and post-market cybersecurity guidance provides recommendations for meeting QSRs.” 

3. Medical device manufacturers can’t update medical devices for cybersecurity.   

Medical device manufacturers can always make updates that strengthen the cybersecurity of their products. The FDA doesn’t typically need to review those changes. In short, any manufacturer can update their devices whenever they need to.

 

4. Healthcare Delivery Organizations (HDOs) can’t update and patch medical devices for cybersecurity.      

In reality, HDOs can (and should) implement patches and updates to their devices that reduce risks. The FDA recommends that HDOs work closely with MDMs to coordinate any changes to ensure no unintended consequences. 

Typically, the more significant issues around updating or patching medical devices tend to be more practical – because devices can be involved in patient care and/or constantly on the move, it can be challenging to locate and identify a safe time to perform an update. 

 

5. The FDA is responsible for validating software changes to address cybersecurity vulnerabilities.  

The medical device manufacturer is responsible for validating any software changes to their devices, including those needed to address cybersecurity vulnerabilities.

 

6. The FDA tests medical devices for cybersecurity.   

The FDA does not do any pre or post-market testing. Medical device manufacturers are responsible for testing and remediating their medical devices for cybersecurity issues. 

 

7. Companies that manufacture off-the-shelf (OTS) software used in medical devices are responsible for validating its secure use.

Many MDMs use OTS software in their medical devices, and they are responsible for securing it and ensuring the device’s ongoing safe and effective performance. The MDM is also responsible for reporting any software or hardware bill of materials (SBOM) they use in their devices.

 

It is critically important that Biomedical engineers arm themselves with highly accurate data about their devices so they can ensure they take any necessary steps to patch, remediate, or isolate devices with cybersecurity issues.

For more information on medical device cybersecurity, please visit medigate.io/cde.