To kick off National Cybersecurity Awareness Month, the U.S. Food and Drug Administration released a statement in October regarding the agency’s continued emphasis on medical device cybersecurity.
The potential for device hacking “is no longer theoretical,” the agency explained. As cyberattacks have become more and more prevalent, the increasing number of medical devices connected to hospital networks creates a greater possibility that cybercriminals could exploit vulnerabilities in medical devices. While the FDA is unaware of any instances of unauthorized users hacking into a medical device, “the risk of such an attack persists.”
As part of the agency’s continued efforts to bolster medical device cybersecurity, the FDA announced several new initiatives, updates and collaborations. First, the FDA coordinated with the MITRE Corporation to launch a cybersecurity “playbook” to educate healthcare delivery organizations on the importance of cybersecurity and the impact cyberattacks could have on patients.
The playbook provides a primer on medical device cybersecurity; points to preparedness resources available to HDOs; clarifies the roles of HDOs, governments, and medical device manufacturers in the event of a breach; and standardizes the procedure for responding to a cyberattack. Specifically, the playbook outlines a four-tiered approach to any medical device cyberattack: (1) preparedness; (2) detection and analysis; (3) containment, eradication and recovery; and (4) follow-up activity.
The FDA has also entered into two memoranda of understanding in order to create “information sharing analysis organizations,” the purpose of which is to create a system by which HDOs, device makers and cybersecurity agencies can share information about device vulnerabilities. The hope is that increased transparency across the industry will lead to earlier detection of threats and increased emphasis on patient safety. The FDA is also in the process of executing a memorandum of agreement with the U.S. Department of Homeland Security to further cooperation between government agencies in combating cybersecurity threats related to medical devices.
The FDA’s statement also announced its plan to publish “a significant update” to its 2014 guidance document on premarket management of cybersecurity in medical devices. The update will include recommendations on providing patients with a “cybersecurity bill of materials,” which would list the components of any device that could be vulnerable to a cyberattack. This list, the FDA says, should help patients and providers quickly respond to potential threats.
Finally, the FDA’s statement highlighted its 2019 budget proposal, which included a request to create a “Center of Excellence for Digital Health.” The Center, the statement explained, would work to establish a clearer picture of cybersecurity regulations in the health care arena and would house a cybersecurity unit whose task would be to continue researching advances in securing internet-connected medical devices.
These initiatives and updates are proving timely, as states are beginning to consider cybersecurity for “internet of things” devices. Recently, California Governor Jerry Brown signed SB 327 into law, requiring any internet-connected device to have security features to “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
The law, applying to any product sold or offered for sale in California, is the first state law regulating internet of things devices. With the FDA and state governments exploring cybersecurity as it relates to internet-connected devices, it is paramount that health care providers use the resources available to them to protect their data and their patients.
Tim Hudson is a partner in Thompson & Knight’s trial practice group in Dallas. He specializes in defending, preparing, and trying cases involving product liability, commercial litigation, trade secrets, intellectual property and securities in state and federal trial courts and before governmental agencies.
Mackenzie Salenger is an associate in T&K’s trial practice group in Dallas. She focuses her practice on litigation and dispute resolution.
Connor R. Bourland also contributed to this article and is an associate in T&K’s trial practice group in Dallas. He focuses his practice on litigation and dispute resolution.