FDA issues new rules on medical device cybersecurity

Another step has been added to the development process for medical devices: preventing cyberattacks.

The U.S. Food and Drug Administration on Wednesday finalized guidelines strongly urging devicemakers to show that they've considered whether devices are vulnerable to intentional or unintentional cyberattacks, and the steps they took to reduce risk.

The rules are technically nonbinding, but experts say companies could face consequences for ignoring them if devices are later hacked or infected with malware.

"Recommendations do essentially mean rules in the FDA world," said Mike Ahmadi, global director of medical security with FDA contractor Codenomicon. "Let's say something comes up. If you didn't follow the guidance, that serves as evidence to the FDA that they should now do a much deeper investigation. That, to a medical device manufacturer, is frightening."

Medical devices employing computer logic have always faced some risk of hacking or inadvertent disruptions. But those dangers have been greatly magnified by an explosion of digital connectivity, including devices that talk to one another over the Internet, via hospital networks and even through cellphone towers.

The FDA's seven-page announcement comes three weeks before a national workshop on cybersecurity and medical devices, scheduled for Oct. 21-22 in Arlington, Va. The meeting, which is being run in collaboration with the Department of Homeland Security, is intended to generate a national discussion among health care providers, devicemakers and IT experts on how to collaboratively improve the cybersecurity of medical devices implanted in the body or parked on hospital computer networks.

It is an issue of particular importance in Minnesota's large medical technology community, including industry leaders Medtronic, St. Jude Medical and Boston Scientific.

In the medical context, devices can be anything from implantable heart defibrillators and insulin pumps to advanced diagnostic equipment sitting on a hospital floor, like a magnetic-resonance imaging system. The FDA definition of "medical device" even includes stand-alone software, such as a custom program that allows a hospital medical record system to collect blood-oxygen data from a patient's ventilator.

There has never been a documented cyberattack on a medical device that resulted in patient harm, although hackers have publicly demonstrated that it's possible. So far the bigger risks to devices appear to come from unintentional disruptions from sources like Internet malware and electromagnetic radiation.

Infected devices may malfunction, spread computer viruses and put patients' information into the hands of unauthorized users. "This in turn may have the potential to result in patient illness, injury or death," FDA officials wrote in Wednesday's rules.

In applications for approval of new devices, the FDA wants to see proof that a company has done a risk assessment and considered a number of security options before arriving at solutions to specific cybersecurity vulnerabilities. The agency expects manufacturers to think about how to provide future software patches and updates to operating systems that need them, especially since many devices use or interface with commercially available computer software, the new rules say.

One of the key challenges in medical device cybersecurity is designing a system that can prove that a particular user should be allowed to access a device without requiring a password, which could hinder treatment on an unconscious patient in an emergency room. Another problem is figuring out what data should be encrypted from a device, especially one that interfaces with older, slower hardware.

The FDA rules say devicemakers should think about ways to guarantee that lifesaving devices stay operational, even if they're hacked or disrupted.

"By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage system or software updates, manufacturers can reduce the vulnerability of their medical devices to cybersecurity breaches," an FDA spokeswoman wrote in an e-mail. "Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance."

While the challenges are clear, solutions have proved elusive in part because no single stakeholder group has power over the whole problem. Devicemakers say they need more data on cybersecurity breaches, but hospitals say they could be vulnerable to bad publicity and litigation if they come forward with concerns.

Doctors and nurses may not even realize a cybersecurity breach has taken place with a defective device. The FDA meeting will bring together stakeholders from all of those groups and more.

One further risk involves patient reaction. Denis Foo Kune, CEO of medical-device cybersecurity firm Virta Laboratories, said attention to the issue of medical device cybersecurity in the media could undo progress on the technical front.

"My worry is that patients might make a decision mostly based on media reports and forgo medical therapy because of perceived security risks," Kune wrote in an e-mail. "In my opinion, as far as we know today, the benefits from therapy vastly outweigh the security risks."

Joe Carlson • 612-673-4779

Twitter: @_JoeCarlson