FDA pushes for new medical device security measures
FDA pushes for new medical device security measures

As researchers continue to find security flaws in medical devices and threat actors continue to target the healthcare sector, the U.S. Food & Drug Administration (FDA) is pushing for medical devices to have mandatory built-in update mechanisms.

The administration Tuesday released its Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health report to outline how the FDA can enhance programs and processes to assure the safety of medical devices.

In the report, the FDA asks Congress for funding and regulatory powers to improve its approach toward medical device safety on the cybersecurity front by enacting a plan to address unmet needs.

The plan focuses on establishing a medical device patient safety net, exploring regulatory options to streamline and modernize timely implementation of postmarket mitigations, spur innovation towards safer medical devices, advance medical device cybersecurity, and integrate CDRH's premarket and postmarket offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety, according to the April 17 press release.

“To facilitate this approach, CDRH is evaluating a potential structural design of one large office comprised of seven smaller device-specific offices that would each be responsible for premarket review, postmarket surveillance, manufacturing and device quality, and enforcement,” the report said. “The design also would include a new office that would be dedicated to clinical evidence and analysis, under which teams would be focused on clinical evidence policy, evidence synthesis and analysis, biostatistics, bioresearch compliance, and collaboration with and outreach to clinical researchers outside of FDA.”

The FDA is also looking to require medical device manufactures to develop a “Software Bill of Materials” that must be provided for each medical device and made available to customers and users of the device.

The bill is intended to be used by hospitals, healthcare units, contractors, or users to determine how the devices functions, what software is needed for what feature, and what technologies are used in the device.

The news comes as security professionals in the private sectors look to bring awareness to the threat of which hacked medical devices will inevitable pose as well. Doctors at the 2018 RSA Conference in San Francisco simulated a scenario in which a compromised device resulted in a patient overdose.

The simulation demonstrated the steps a doctor would take to diagnose what had caused the patient to overdose and highlighted how easily doctors may overlook medical devices as the cause of patient illness in life or death scenarios. In the simulation it took precious minutes before the doctor realized that a malfunctioning pump was the cause of the crisis.