US FDA unveils new plans to secure medical devices against emerging threats and vulnerabilities
The recent rise in medical device vulnerabilities has prompted the US Food and Drug Administration (FDA) to announce new guidelines and recommendations to regulate and help improve the cybersecurity of over 190000 different medical devices used in the treatment and diagnosis of illness. These efforts will build the improvement of existing patient safety programs and promoting public health said the report released by FDA.
The FDA's Medical Device Safety Action Plan focuses on five key areas including:
1. Establishing a robust medical device patient safety net in the United States
2. Exploring regulatory options to streamline and modernize timely implementation of postmarket mitigations.
3. Activating innovation towards safer medical devices.
4. Advancing medical device cybersecurity.
5. Integrating the Center for Devices and Radiological Health's (CDRH) premarket and postmarket offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety
Medical devices range from common medical supplies to complex instruments that help save and sustain human life. This report was primarily focused on devices based on digital technology that is driving a revolution in healthcare.
The agency wants to secure the medical infrastructure using the Unite device identification system and is urging medical device manufacturers to implement a "Software Bill of Materials" to help customers and users determine which systems may be impacted by vulnerabilities. It also aims to develop the National Evaluation System for Health Technology (NEST) whose goal is to evaluate and manage significant postmarket safety signals.
The FDA also plans to update its premarket guidance for medical device cybersecurity to better safeguard them against moderate risks - such as ransomware and other attacks that could halt clinical operations and daily patient care - as well as major risks that involve remote exploitation of a vulnerability in a complex "multi-patient, catastrophic attack".
Companies will also be required to adopt certain policies and procedures regarding the coordinated disclosure of device vulnerabilities and flaws. Currently, part 806 of reporting regulations require device manufacturers to updating to the FDA regulations within 10 days of its discovery. The report should include collecting information about the device, including manufacturing and marketing details and history of any illness caused by the device.
Doctors at the RSA 2018 conference demonstrated a scenario where a compromised medical device led to overdosage to a patient. Hence patient safety technology is urged to be more robust according to the report.
Healthcare digitization has brought a revolution in the healthcare sector. The increased usage of mobile devices by both the doctors and patients has been a major area of concern for patient security and that is why threat actors tend to target the most valuable healthcare industry experts said.