Although there haven’t been any cases of hackers exploiting medical devices, the risk is real. On October 1st, FDA Commissioner Scott Gottlieb laid out the agency’s four-step plan to strengthen its cybersecurity program for medical devices. Here’s what you need to know:
1. Cybersecurity "playbook."The FDA teamed up with Mitre Corp., a nonprofit that operates federally funded research and development centers, toroll outa playbook to help hospitals and health systems with cybersecurity readiness for medical devices. The playbook outlines how to develop medical device inventories, conduct training exercises among staff and take steps to reduce patient safety concerns.
2. Information sharing.The FDA will establish information sharing analysis organizations to gather and disseminate information about cybersecurity risks. One ISAO will bring together device makers to share information about potential vulnerabilities and emerging threats, while another project will encourage government agencies, such as Homeland Security, to develop collaborative responses to cyber-threats.
3. Updated premarket guidance.The FDA's current premarket guidance was finalized in 2014. In October, the agency plans to publish an update with new cybersecurity guidance — such as asking manufacturers to provide a "cybersecurity bill of materials," or a list of commercial and off-the-shelf software and hardware components in a device that could be susceptible to vulnerabilities.
4. Dedicated resources.The FDA Center of Excellence for Digital Health, which the agencyproposedin its budget for fiscal year 2019, will support a cybersecurity unit focused on medical devices, including those that are software-based or fall under the category of digital health.