It’s National Cybersecurity Awareness Month, and the message is clear, “Do Your Part. #BeCyberSmart.” The goal of promoting cybersecurity awareness is to encourage and empower individuals and organizations to protect their internet-connected systems from cyber-threat. Whether it be protecting hardware, software or data, everyone has a role to play in keeping people and data safe.While we might typically think about cybersecurity as it relates to our personal computers and online transactions, medical devices are becoming more advanced and will often include technology that could make the device vulnerable to cyber-threats. A large number of recently cleared medical devices, and many more on the way, contain software and connect to the internet, hospital networks, a mobile phone, and/or other devices to share information. Over the years, FDA has made it increasingly clear that it is critically important to ensure medical devices are cyber secure. FDA urges all manufacturers to monitor and assess the cybersecurity vulnerability risks associated with their medical devices, and to be proactive about disclosing vulnerabilities and solutions to address them.
FDA is aware that the introduction and application of new technologies to all different types of medical devices, including implantable or wearable devices, can result in care that is safer, timelier and more convenient. For example, patients with an implanted heart device can be monitored remotely and possibly spared a visit to the doctor’s office; and people with diabetes have new options for managing their blood-sugar levels because some glucose meters and insulin pumps can essentially talk to each other. However, FDA is also aware that the same features that improve health care and increase the ability of health care providers to treat patients “can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.”
FDA is using this month to highlight the risks associated with bringing new and amazing technology to market. FDA has also made an effort to highlight the agency’s role in medical device cybersecurity, publishing a fact sheet that helps dispel myths and explain the facts when it comes to medical device cybersecurity. One myth addressed in the fact sheet: cybersecurity for medical devices is optional. This statement could not be further from the truth! Medical device manufacturers must comply with federal regulations, including quality system regulations (QSRs), which require manufacturers to evaluate and address risks, including cybersecurity risks.
With so many medical devices now connecting to the internet, hospital networks, and smart devices, the number of potential vulnerabilities increases. FDA is particularly keen to make patients and caregivers aware of cybersecurity risks, as made clear by the release of, “Communicating Cybersecurity Vulnerabilities to Patients: Considerations for a Framework.” The document identifies best practices to be used when communicating with both patients and caregivers about the vulnerabilities and opportunities for interference that exist when it comes to medical devices. FDA also published “Medical Device Cybersecurity: What You Need to Know,” in which the agency outlines its efforts to keep medical devices cyber secure.
It’s no secret that with each passing year technology has become more and more integrated into the medical and scientific world, and the results have been quite literally life saving. However, we need to remember that embedding new technology also introduces new potential vulnerabilities and risks. So, with October being Cybersecurity Awareness Month, we’d like to remind our readers how important it is to think about cybersecurity and how everyone has a role to play in keeping medical devices cyber secure! Make sure to check back in next week to learn about some medical devices that rely on cybersecurity, as well as read our exclusive interview with a former FDA cybersecurity expert!