Skip to main content
Sister Publication Links
  • ESG: THE NEW IMPERATIVE
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • Current News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Digital Health
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Custom Media Event: ESG Summit
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Transformation Summit
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain Revenue Cycle
    • - Hospital at Home
    • - Workplace of the Future
    • - Virtual Health
    • - Future of Healthcare Staffing
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Transformation Hub

Where healthcare challenges find solutions

  • Patients
  • Operations
  • Care Delivery
  • Payment
Patients
October 18, 2018 01:00 AM

Medical device manufacturers need to say what's in their products

Rachel Z. Arndt
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Getty Images
    Many post-market studies still aren't finished years after a device goes on sale.

    The FDA wants medical device manufacturers to package their products with a list of their hardware and software components, according to new draft guidance on medical device cybersecurity.

    The "cybersecurity bill of materials," as the FDA is calling it, would help end users keep a closer eye on the security of their medical devices, making sure there are proper safeguards in place to keep the devices functioning even if there are vulnerabilities.

    "A cybersecurity bill of materials can be a critical element in identifying assets, threats and liabilities," the FDA said.

    The agency foreshadowed the requirement for a bill of materials in its Medical Device Safety Action Plan, released in April 2018. In that document, the agency wrote that a bill of materials would help users "better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities."

    Many in the industry have called for bills of materials for a long time.

    "We don't necessarily have a secure supply chain in general," said David Ross, principal and cybersecurity growth leader for Baker Tilly's risk, internal audit and cybersecurity practice. "A bill of materials might help your staff when you're procuring these devices. You could do a risk assessment and quantify the overall risk from a cyber perspective for any given device."

    The FDA's draft guidance for premarket submissions, released Wednesday, updates the FDA's 2014 final guidance. "The rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations, necessitates an updated approach," according to the FDA.

    Security risks have been increasing with the proliferation of the internet of things, as devices with network connections become more common. Organizations have boosted their IT budgets, with the average budget now at $30 million per year, according to the Ponemon Institute.

    Overall, the agency seems to be focusing on controls more than processes, Ross said. That makes sense, given the FDA's position as a regulator. But it's important for hospitals and other organizations to pay attention to both controls and processes, he said.

    In the new draft guidance, the agency distinguishes between two kinds of medical devices: those that connect to other devices or networks and that could lead to patient harm if hit by a cyberattack, and those that aren't connected to other devices or networks and don't pose similar risks.

    The FDA recommends all devices require user authentication before device software or firmware can be updated. Device manufacturers should also include information about when they'll stop offering security patches and software updates with their products.

    "If the device remains in service following the end of support, the cybersecurity risks for end-users can be expected to increase over time," the guidance said.

    When in use, devices should be designed to reject connections that haven't been authorized by default. If an unauthorized USB drive is plugged into a device, the device should reject it automatically.

    Device makers should also limit which users can access certain functions of the device by requiring authentication at certain points, according to the guidance. A provider might get different access privileges from a system administrator, for example. Such tiered access is a best practice in the commercial world, Ross said.

    The FDA recommended other safeguards for devices once they're in use. Guided by NIST standards, the FDA recommended that devices be able to detect cyberattacks while in use and then notify users of the attacks.

    The comment period on the draft guidance runs through March 18, 2019.

    Tags: Patients, U.S. Food and Drug Administration (FDA), Devicemakers, Regulation, Transformation, Transformation Hub
    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    notary service - two women looking at documents
    Little things, like in-hospital notary services, improve the patient experience
    long covid.png
    Most with long COVID were never hospitalized, study finds
    Sponsored Content
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Digital Health
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Transformation Summit
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain Revenue Cycle
        • - Hospital at Home
        • - Workplace of the Future
        • - Virtual Health
        • - Future of Healthcare Staffing
      • Custom Media Event: ESG Summit
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing