On December 28th, 2010 FDA issued industry guidance for Postmarket Management of Cybersecurity in Medical Devices. FDA requires that medical device manufacturers address all risks, including cybersecurity risk.
Here are a few tips you can take during development reduce the risk of a cybersecurity breach:
1) Incorporate cybersecurity into your risk management procedures, such as hazard analysis and DFMEA.
2) Review all interfaces, internal and external for intentional and unintentional cybersecurity risks (user, hardware, software, etc.)
3) Review all third-party software including operating systems for intentional and unintentional cybersecurity risks
4) Review all procedures for intentional and unintentional cybersecurity risks
5) Document risk control measures in the form of requirements
6) Implement risk control measures within the design
7) Verify all risk control measures during development, prior to launch and periodically
8) Continuously assess risk control measure effectiveness
9) Define sustaining plan to support software upgrades and operating system patches
10) Provide your customers with guidance and recommended cybersecurity controls
11) Define company strategy on how to handle a customer breach – covering reporting, investigation, communication and corrective action
12) Take cybersecurity seriously
Note: The FDA typically will not need to review or approve medical device software changes made solely to decrease the risk of cybersecurity breaches.
Recent cybersecurity concerns:
Veritas Genetics, a DNA testing startup, data breach resulted in unauthorized access of customer information.
Phishing attack breaches 38,000 patient records at Legacy Health. The hackers went undetected for weeks.
Employee error exposed data of 16,000 Blue Cross patients online for 3 months.
References:
FDA Cybersecurity Fact Sheet – Dispelling Myths and Understanding Facts
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
The Cost of Cybersecurity in Healthcare
Tips to reduce the risk of a cybersecurity breach
