The threat of cyber attacks is no longer theoretical. Cyber criminals and adversaries can inflict significant harm on networks through relatively simple methods, like emails or bugs known as malware. Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted.
The FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient. But the risk of such an attack persists.
Securing medical devices from cyber security threats cannot be achieved by one government agency alone. Every stakeholder—manufacturers, hospitals, health care providers, cyber security researchers and government entities – all have a unique role to play in addressing these modern challenges. That’s why the FDA has long been committed to working hard with various stakeholders to stay a step ahead of constantly evolving cybersecurity vulnerabilities. Our Center for Devices and Radiological Health (CDRH) has taken a holistic, systematic approach to building our medical device cybersecurity program, as well as creating an environment where industry and other stakeholders understand the importance of this shared responsibility.
Our premarket guidance identifies issues manufacturers should consider in the design and development of their medical device to ensure their product adequately addresses cyber security vulnerabilities. Our postmarket guidance outlines a risk-based framework manufacturers should use to ensure they can quickly and adequately respond to new cybersecurity threats once a device is in use.
The FDA’s policy leverages the National Institute for Standards and Technology’s Framework for Improving Cybersecurity of Critical Infrastructure. This underscores the importance of adoption by medical device manufacturers of the Framework’s five core functions – identify, protect, detect, respond and recover. The FDA does not compartmentalize its premarket and postmarket activities, nor assess them in isolation.
The premarket guidance was finalized in 2014. In the coming weeks, we plan to publish a significant update to that guidance to reflect the FDA’s most current understandings of, and recommendations regarding, this evolving space. For instance, the new draft guidance will highlight the utility of providing customers and users with a “cybersecurity bill of materials” – a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities.
Beyond our own policies, the FDA works proactively to create an environment of shared responsibility with diverse stakeholders, including other government agencies, industry, health care delivery organizations, cybersecurity researchers and others. These collaborations include actions through public-private coordinating councils and engagement directly with industry and patients alike.
Our partnering also extends to joint cybersecurity exercises that simulate scenarios involving medical device cybersecurity threats. The FDA has been exploring steps to continue building on the work that our stakeholders and the agency have already achieved toward these ends. We based these activities on our evolving experience from engagement with stakeholders, our review of premarket submissions, investigations of device-specific vulnerabilities, and participation in functional and table top exercises simulating medical device cybersecurity threats.
These exercises include the DHS-led ‘Cracked Domain’ functional exercise in 2013, the DHS-Led Capstone National Level Exercise in 2016, AdvaMed’s Cybersecurity Summit in 2016, and a MITRE-convened table top on behalf of the FDA in 2017.
