Cybersecurity threats are everywhere. Certain medical devices are susceptible to breaches in cybersecurity too. Many modern devices contain software integration allowing for updates in function and communication with healthcare providers. Improper modifications too medical device software may present a serious threat to the device’s safety and effectiveness. The Food and Drug Administration recently issued a draft guidance for Postmarket Management of Cybersecurity in Medical Devices. A device manufacturer must implement a management system that accounts for appropriate responses to cybersecurity threats. The system should include such things as: monitoring for identification and detection of cybersecurity vulnerabilities and risk; assessing and detecting the presence and impact of a vulnerability; establishing and communicating processes for vulnerability intake and handling; and defining essential clinical performance to protect, respond and recover from the cybersecurity risk.
Assessing the severity of a cyber threat may be critical to patients. Threat levels range from negligible (demonstrating inconvenience or temporary discomfort) to catastrophic (resulting in patient death).
Medical device manufacturers, hospitals and healthcare providers must be mindful of the integrity of their network security. They must be vigilant in educating employees and business associates regarding malware, malfunctions and tracking of device malfunctions. In July 2015, FDA issued an alert that Hospira’s Symbiq Infusion System was vulnerable to cybersecurity attacks. In that instance, Hospira determined that the infusion system could be accessed remotely through a hospital network allowing for dosage and administration to be modified. Hospira discontinued the device for unrelated issues.
Today’s medical devices need cybersecurity too.