Cybersecurity Challenges and Issues
From identity theft and fraud to corporate hacking attacks, cybersecurity has never been more important for businesses, organizations and governments. Cybersecurity is a huge global concern not just for manufacturers of healthcare and related products.
Medical devices play a pivotal role in improving global healthcare. Hospitals and medical practitioners are increasingly using networked technology to improve the accuracy and efficiency in monitoring patient health and delivering healthcare services.
Though these devices play an important role in transforming how healthcare services are provided to patients, they are vulnerable to cyber-attacks and pose a potential cybersecurity risk. The risk posed by an intentional cyber-attack is entirely different from the risk caused by unintentional cyber-attacks, which may be caused due to design or security flaws. Intentional cyber-attacks are constantly evolving. The regulatory framework of the FDA is inadequate for addressing concerns related to rapidly emerging cybersecurity threats.
Cybersecurity issues may compromise the confidentiality of patient data, availability of patient care, and the integrity of healthcare information. The most common cybersecurity incidents that have been reported include disclosure of financial data and protected health information. It has been reported by the identity theft resource center that 42.5% of the total breaches in 2014 were in the medical/healthcare industry. Further, it was the third year in a row that the medical/healthcare industry topped the list since 2012.
Suggested Approach and Recommendation to the Medical Device Industry
The current regulatory approach by the FDA is inadequate for addressing cybersecurity issues with medical devices connected to a network. However, stakeholders should not wait for the agency to come up with new regulations. It is the foremost responsibility of the manufacturer to build a robust security architecture based on available guidance documents, international standards, and best practices followed in the industry. The manufacturer should employ a process-based approach in developing the security architecture. The security framework should address the current level of cybersecurity, set goals, and establish a plan for improving or maintaining cybersecurity. Stakeholders should apply the principles and best practices of risk management as per ISO 14971 to improve and maintain the security and privacy of devices connected to a network. To develop a security framework, the stakeholders in the industry should use the FDA guidance documents as a base and incorporate the appropriate international standards to make the developed framework robust. There are a few international standards that provide specific information on how to address the requirements of the FDA guidance documents. The international standard IEC 62304:2006 defines the lifecycle management of medical device software. Another applicable standard that defines the functions, responsibilities and activities required for risk management of medical devices connected to an IT network is the IEC 80001-1:2010 and IEC/TR 80001:2 series of standards.
------------------------------
Elijah Wreh
Regulatory Affairs Manager and Industry Representative, FDA Advisory Committee Neurological Devices Panel
------------------------------