By Amy Abernethy, M.D., Ph.D., Principal Deputy Commissioner and Acting Chief Information Officer and Suzanne B. Schwartz, M.D., M.B.A., Deputy Director, Office of Strategic Partnerships and Technology Innovation, Center for Devices and Radiological Health
Medical devices are increasingly more advanced and interconnected, sharing information via Wi-Fi, the internet, our phones and across hospital networks. While the software and networking features behind these devices can support safer, more convenient and timely health care delivery, they also can increase cybersecurity risks. The U.S. Food and Drug Administration has issued nine safety communications for medical device cyber vulnerabilities since 2013. And with technologies rapidly evolving, cybersecurity vigilance is even more critical. But how do you raise awareness without raising undue alarm or causing unwanted consequences?
First, it is helpful to describe how cybersecurity concerns might affect medical devices. Many medical devices include computer software either embedded or external to the device. For example, a heart pacemaker includes computer code to set the rhythm of the heart. There is a concern, that, similar to your personal computer, the software in these devices can be infected with malware (a “computer virus”) that changes performance of the device. Other examples are hacking of the device’s computer code by third parties or leakage of personal health information from these devices.
The FDA works aggressively to reduce medical device cybersecurity risks. We share that responsibility with the medical device industry, health care delivery organizations, patients, security researchers, and other government agencies including the U.S. Department of Homeland Security and the U.S. Department of Commerce.
Over the past six years, the FDA has strengthened its relationships with cybersecurity experts, manufacturers and other federal government agencies to ensure medical devices are developed with cyber safety and risk management baked into the process, from premarket development through when they are on the market for patients to use. More recently, we have been engaging with patients and patient advocacy groups who are becoming increasingly aware of medical device cybersecurity.
Gaining the Patient Perspective on Cybersecurity
In September 2019, we had an insightful discussion with patients about medical device cybersecurity. The discussion was held through a meeting of the FDA’s Patient Engagement Advisory Committee. Launched in 2017 by the FDA’s Center for Devices and Radiological Health (CDRH), PEAC is the agency’s first and only advisory committee whose members are all patients, caregivers and representatives of patient organizations.
The focus of the day-long meeting was “Cybersecurity in Medical Devices: Communication that Empowers Patients.” The gathering brought patients together with industry representatives, health care providers, independent security researchers and other stakeholders to tackle some tough questions. They told us they believe that medical device cybersecurity is a matter of national security, as well as one of patient safety.
How and when to alert patients about cyber vulnerabilities that could affect their medical devices is complicated for multiple reasons. When a vulnerability is first identified there may be limited information — we may not know the full scope of the issue or the number of devices impacted, for example. Cybersecurity communication is unusual in that the probability or likelihood of an exploit occurring cannot be quantified — it is not possible to predict if or when a bad actor might exploit a vulnerability. In addition, sharing information about weaknesses could inadvertently inspire a bad actor.
One thing we heard loud and clear from patients is that they want to be told about a cybersecurity matter even if a fix is not yet available. Patients said the information would allow them to serve as a “boots-on-the-ground” intelligence system that could alert the FDA to potential instances of harm to patients. At this time, the FDA has not received any reports of patient harm directly linked to a medical device cybersecurity incident.
Patients also noted that giving them knowledge about the existence of a cyber risk should not necessarily place responsibility on them to find more information. They encouraged the FDA to put the burden on industry to share information with patients if their device is associated with a risk, and that patients should not be burdened with seeking out the details.
Stepping Up Efforts to Strengthen Medical Device Cybersecurity
The day-long PEAC meeting gave us an opportunity to hear what patients want from the FDA in terms of cybersecurity risk information. We are exploring how we can enhance our communication to patients in a way that is responsible and empowers them in their health care decision making.
The FDA’s CDRH leads the agency’s work in medical device cybersecurity with a focus on holding manufacturers more accountable for identifying and improving responses to cybersecurity vulnerabilities. As part of these efforts, CDRH issued a final guidance on the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices in 2014. Last year, CDRH proposed revised recommendations for premarket submissions of devices with cybersecurity vulnerabilities in a draft guidance. The draft guidance proposes to recommend that manufacturers include a “bill of materials,” which is a list that includes, but is not limited to, commercial, open-source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities. We believe that a bill of materials would have been useful, for example, when a set of vulnerabilities known as URGENT/11 were detected earlier this year.
The CDRH cybersecurity vision is one where the medical device community takes bold action to transform medical devices from brittle to resilient. Every device would meet a security baseline; every device would be easily updatable; and patients would receive timely updates.
The FDA reaffirms its commitment to stakeholders to continue to advance medical device cybersecurity. Cybersecurity is a patient safety imperative. Patient safety depends on cyber safety.