Although we typically imagine the U.S. Food and Drug Administration as protectors of dietary and medicinal products, their outreach is expanding to the realm of cybersecurity.
Two of the biggest cybersecurity threats existing today involve malware and unintentional employee infections of confidential systems. These threats can compromise delicate medical devices and threaten the health of the users relying on them.
In response to this emerging threat, the FDA is making medical device security a top priority. A collaboration by the FDA and the medical security focused MITRE Corporation is working to address existing vulnerabilities in medical devices to cyberattack. This approach involves better stakeholder engagement on critical issues and conducting in-depth interviews across the country to help develop a “roadmap” of medical device vulnerability. The end goal of this project, says FDA director of emergency preparedness, Suzanne Schwartz, is to establish a trusted ecosystem where security and vulnerability information can be collected, analyzed, and shared. According to Schwartz, the FDA has faced several challenges in this process:
- Defining basic responsibility for device cybersecurity
- Understanding device vulnerabilities for basic users
- Knowing the challenges manufacturers face trying to address security issues
- Reviewing expectations and accountability for manufacturers that must demonstrate their security protocols across each product’s lifespan
Addressing each of these concerns has been a primary goal of the FDA’s security strategy over the past few years.
The Need for Security
Device security relies on cooperation from multiple organizations. Both healthcare delivery organizations and device manufacturers must prioritize device security throughout each step of development and use. Healthcare organizations face constant threats from hackers trying to gain access to their privileged data. While electronic health records and hospital security infrastructure has improved, medical devices themselves have traditionally lagged behind.
MITRE’s contribution to the FDA’s initiative involves adapting the existing Common Vulnerability Scoring System to apply to medical devices in clinical settings. This assessment protocol accounts for considerations unique to each device and provides stakeholders with actionable data to be used in shaping the future of device security. The FDA and MITRE are addressing these loopholes to prevent future medical devices from being compromised and to establish protocols for better device security in the coming years.
Written by Dean Van Dyke, Vice President, Business Process Optimization
Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.