Following a ransomware attack simulation within the clinical environment at CyberMed, the Food and Drug Administration’s Office of Strategic Partnerships & Technology Director Suzanne Schwartz reaffirmed the FDA’s proactive posture to swiftly move the needle on much needed pre- and post-market medical device security.“We are not waiting for harm,” said Schwartz. “We’re not going to wait for something to occur, then react to it.”Although discussions around medical device security often bring up worries that it will take a patient being harmed for regulators to act, Schwartz was firm with the FDA's mission: the agency is proactively working on improving directives, guidance, protections and regulations.Prime evidence of this is the newly released FDA guidance for ensuring medical devices are designed with cybersecurity in the forefront, as well as insights for premarket submissions for medical devices that hold known risks. The release is an update that will “supersede” the FDA’s 2018 draft guidance once it’s finalized, providing further iteration to the initial device insights released in 2014, explained Schwartz. The post market cybersecurity guidance does not replace previous insights, rather it speaks to the “overarching criticality of the quality systems regulation (QSR) for regulation considerations.”One of the most important elements speaks to the QSR, which outlines and clarifies design controls. These insights impart that the FDA is taking “a very clear step” in the importance of securing devices from “the earliest phases of design and development,” and the entire device management and maintenance throughout its lifecycle must be aligned with QSR.“This guidance was written to mark the importance of manufacturers considering the QSR, even before the device goes on the market,” said Schwartz. The FDA holds an important role in bolstering medical device security across healthcare with its pre- and post-market guidance, designed as a living document that outlines the FDA expectations for device manufacturers.“The point is to put in place the necessary protection, security measures and controls so that we’re anticipating the possibilities for cyber intrusion or exploit of identified vulnerabilities,” said Schwartz. “The time to be addressing those vulnerabilities is when they're identified or when they're assessed, in terms of risk, not when that vulnerability has been exploited.”“And there are some consequences to that,” she added. Overall, it clearly calls out the importance of the QSR and stresses that manufacturers can’t “wipe their hands clean” when it comes to ensuring the security of medical devices throughout the lifecycle.At the end of the day, the FDA is attempting to align its efforts with the ongoing federal actions for the private sector and the call to action on securing the critical infrastructure.
Endpoint/Device Security, Security Architecture, Vulnerability Management, Security Strategy, Plan, Budget
FDA on medical device security: ‘We’re not waiting for harm’ to act

Medical device security is a critical focus for the FDA, which is proactively working to ensure vulnerable tech is designed with security in mind. (Photo credit: "
Clean colors
" by
Zdenko Zivkovic
is marked with
CC BY 2.0
.)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds