In my immediately prior post discussing a presentation by Suzanne Schwartz of FDA relative to cyber security in medical devices, I noted that the FDA had proposed regulatory actions during the next twelve months.
Hopefully by the end of calendar 2015, but not later than early 2016, FDA intends to formally articulate a policy concerning “post-market expectations.” One of the major issues in cyber security is that there is a large installed base of devices already in the marketplace, so that work done on new devices will not cure the existing marketplace risk. Guidance for what is expected from device manufacturers should be forthcoming.
The FDA also hopes to adopt the NIST framework relating to cyber security, making it understandable and applicable to medical devices. (For those not deep in the alphabet game, “NIST” is the National Institute of Standards and Technology.)
FDA proposes to provide a vulnerabilities scoring system for medical devices, with sensitivity to the context in which end-users come in contact with such devices.
Schwartz also discussed, albeit it in general terms, premarket guidance. They want to see products where security is “baked in” not “bolted on.” They want to see that you have applied a process for software validation. For new devices, in connection with FDA submissions they expect to see risk analysis, provision for response and ongoing monitoring and for a patch program. They are also interested in getting a sense for what they call “cyber hygiene,” which is a combination of good design, control of access to the software and a provision for routine “servicing” of the software.
With respect to medical devices already in the marketplace, “FDA generally will not need to review or approve medical device software changes made solely to strengthen cyber security.” This approach seems to be an effort to facilitate speed in fixing cyber problems identified in the marketplace.
Aside from FDA identification of resistance within the device industry for collaboratively addressing cyber issues, the various speakers in the aggregate made a compelling case for robustly addressing the issues presented. By the end of the decade, it is estimated that there will be twenty six billion devices connected to the internet, and while most will not be medical devices, many of them will be. One speaker estimated that as much forty five percent of all of last year’s data breaches or hacks were in the medical field (hospitals, insurers, devices and the like). Theoretically, aside from fraud risk, hacking into medical devices could erase records, over-load systems which would create a DOS (demand of service) shutdown, threaten medical patients with online implants (such as pacemakers) with extortion threats, and even (in one reported case) permit a patient to hack into his medical drip to increase the flow of narcotic painkillers.
And with the explosion of “wearable” devices, including Fit Bits, the opportunities for device hacking will do nothing but proliferate in the future.