FDA seeks cybersecurity assessments from medical-device makers

The Food and Drug Administration has issued final guidance asking medical-device manufacturers to address cybersecurity threats before and after their products are approved for sale. Cybersecurity is critical as medical devices increasingly connect with each other, the agency said.

The FDA said manufacturers should identify what information or other assets hackers might target and how they might get to it. The companies are asked to consider the tradeoffs between greater security and usability and determine the risk level associated with a particular threat. The agency recommends strategies that include limiting access through electronic authentication (such as passwords or biometric scans) and physical locks to prevent tampering, as well as different levels of access based on a user's role. For example, a technician might have more limited access to a program than a system administrator.

The agency recommends that manufacturers submit documentation to the FDA during the pre-approval process explaining how they are addressing cybersecurity issues with the product and how they will continue to address them after the product is on the market.

Although the agency notes increased vulnerability because of the proliferation of devices that connect to one another and to other networks, it has seen no evidence so far that such products have been hacked.

“The FDA has neither an indication that specific devices or systems have been purposely targeted, nor reports that any patients have been harmed as a result of cybersecurity breaches,” the agency said in a statement accompanying the guidance.

The Advanced Medical Technology Association, a trade group representing devicemakers, said the organization supports the FDA's efforts to raise awareness about cybersecurity threats, according to Jeff Secunda, the group's vice president of technology and regulatory affairs. He added, though, that manufacturers are already working to address the issue.

Robert Hudock, a cybersecurity expert at the law firm Epstein Becker Green says medical devices on the market now can be easily hacked, especially with the help of programs and tools that circulate on the Internet.

Even so, Bradley Thompson, one of Hudock's colleagues who specializes in health information technology regulation, said the FDA is right to take a flexible approach. “The trick is not to let widespread fear and theory drive us to imposing excessive security requirements that make the medical products less usable,” Thompson said. “Any time a manufacturer must add substantial security they also make it more difficult to do maintenance. Heightened security can also lead to unintended workarounds. So we obviously need to find the right balance.”

The FDA is convening a public workshop on cybersecurity from Oct. 21-22 in Arlington, Va.

Follow Darius Tahir on Twitter: @dariustahir