Agency Says Remain Vigilant When It Comes to Medical Device Cybersecurity
WASHINGTON — As Cybersecurity Awareness Month comes to an end, the Food and Drug Administration is reminding the health care industry to remain vigilant when it comes to the cybersecurity of its medical devices.
Just like any other electronic device, medical devices can be vulnerable to security breaches that have the potential to diminish the safety and effectiveness of the equipment.
Over the past two weeks, the agency has published two pieces to help device manufacturers, other government agencies and health care providers stay ahead of the curve.
The first was an article published in the Journal of Clinical Engineering called “Digital Certificate Management for Medical Devices.”
The second was a white paper for manufacturers called “Data Normalization Challenges and Mitigations in Software Bill of Materials Processing.”
The FDA efforts in the area kicked into high gear after the passage of the 2023 Omnibus package in December 2022.
It was at that time that the Federal Food, Drug, and Cosmetic Act was amended to reflect the challenges associated with the growing integration of wireless, internet and network-connected capabilities in the medical device world.
As more and more devices have begun exchanging medical health information electronically, the need for robust cybersecurity has become ever more critical, the agency said.
At the same time, the federal regulators say, cybersecurity threats to the health care sector have become more frequent and more severe, carrying increased potential for clinical impact.
“Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across health care facilities in the U.S. and globally,” the FDA says in the introduction of its cybersecurity page. “Such cyberattacks and exploits may lead to patient harm as a result of clinical hazards, such as delay in diagnosis and/or treatment.”
Increased connectivity has resulted in individual devices operating as single elements of larger medical device systems. These systems can include health care facility networks, other devices and software update servers, among other interconnected components.
“Consequently, without adequate cybersecurity considerations across all aspects of these systems, a cybersecurity threat can compromise the safety and/or effectiveness of a device by compromising the functionality of any asset in the system. As a result, ensuring device safety and effectiveness includes adequate device cybersecurity, as well as its security as part of the larger system,” the agency says.
Dan can be reached at [email protected] and @DanMcCue
