FDA issues new rules on medical device cybersecurity

Another step has been added to the development process for medical devices: preventing cyberattacks.

The U.S. Food and Drug Administration on Wednesday finalized guidelines strongly urging devicemakers to show that they've considered whether devices are vulnerable to intentional or unintentional cyberattacks, and the steps they took to reduce risk.

The rules are technically nonbinding, but experts say companies could face consequences for ignoring them if devices are later hacked or infected with malware.

"Recommendations do essentially mean rules in the FDA world," said Mike Ahmadi, global director of medical security with FDA contractor Codenomicon. "Let's say something comes up. If you didn't follow the guidance, that serves as evidence to the FDA that they should now do a much deeper investigation. That, to a medical device manufacturer, is frightening."

Medical devices employing computer logic have always faced some risk of hacking or inadvertent disruptions. But those dangers have been greatly magnified by an explosion of digital connectivity, including devices that talk to one another over the Internet, via hospital networks and even through cellphone towers.

The FDA's seven-page announcement comes three weeks before a national workshop on cybersecurity and medical devices, scheduled for Oct. 21-22 in Arlington, Va. The meeting, which is being run in collaboration with the Department of Homeland Security, is intended to generate a national discussion among health care providers, devicemakers and IT experts on how to collaboratively improve the cybersecurity of medical devices implanted in the body or parked on hospital computer networks.

It is an issue of particular importance in Minnesota's large medical technology community, including industry leaders Medtronic, St. Jude Medical and Boston Scientific.

There has never been a documented cyberattack on a medical device that resulted in patient harm, although hackers have publicly demonstrated that it's possible. So far the bigger risks to devices appear to come from unintentional disruptions from sources like Internet malware and electromagnetic radiation.

Infected devices may malfunction, spread computer viruses and put patients' information into the hands of unauthorized users. "This in turn may have the potential to result in patient illness, injury or death," FDA officials wrote in Wednesday's rules.

In applications for approval of new devices, the FDA wants to see proof that a company has done a risk assessment and considered a number of security options before arriving at solutions to specific cybersecurity vulnerabilities. The agency expects manufacturers to think about how to provide future software patches and updates to operating systems that need them, especially since many devices use or interface with commercially available computer software, the new rules say.

One of the key challenges in medical device cybersecurity is designing a system that can prove that a particular user should be allowed to access a device without requiring a password, which could hinder treatment on an unconscious patient in an emergency room. Another problem is figuring out what data should be encrypted from a device, especially one that interfaces with older, slower hardware.

The FDA rules say devicemakers should think about ways to guarantee that lifesaving devices stay operational, even if they're hacked or disrupted.

While the challenges are clear, solutions have proved elusive in part because no single stakeholder group has power over the whole problem. Devicemakers say they need more data on cybersecurity breaches, but hospitals say they could be vulnerable to bad publicity and litigation if they come forward with concerns.

Doctors and nurses may not even realize a cybersecurity breach has taken place with a defective device. The FDA meeting will bring together stakeholders from all of those groups and more.

One further risk involves patient reaction. Denis Foo Kune, CEO of medical-device cybersecurity firm Virta Laboratories, said attention to the issue of medical device cybersecurity in the media could undo progress on the technical front.

"My worry is that patients might make a decision mostly based on media reports and forgo medical therapy because of perceived security risks," Kune wrote in an e-mail. "In my opinion, as far as we know today, the benefits from therapy vastly outweigh the security risks."

Joe Carlson • 612-673-4779