The U.S Food and Drug Administration (FDA) has recently launched their Medical Device Safety Action Plan whose main focus is to give assurance in the safety of connected Medical devices. The organization has put its main focus on patients relying on medical devices as seen from their Medical Device Safety slogan: ‘Protecting Patients, Promoting Public Health’ as part of their Action Plan.
The plan is molded in a way that it heavily relies on cybersecurity measures as part of its plan to reduce risk and curb breaches that are associated with connected devices. After all, security breaches cost everyone time and money and better cybersecurity is something that the whole world is working to achieve. Some of those measures are outlined below:
- A Consideration that firms should update and patch device security product design and submit a “Software Bill of Materials” to the FDA.
- Ensuring that there is an up-to-date guide to the medical device’s security before it is released into the market.
- Establishing a body to follow up on post-market requirements on firms in adopting policies and procedures for reporting known threats or risks.
- Finally, analyzing the improvements of CyberMed Safety (Expert) Analysis Board (CYMSAB).
This plan is well structured, but before it is even implemented and checked on its suitability to address all the cybersecurity breaches, below are two very real concerns:
- What is the security plan in place for those devices that are already in the market?
- What approach is in place to prepare for the future of cybersecurity?
The plan is obviously inclined to address the future security of medical devices. It has failed to adequately address the past which affects the present. More importantly, it may not adequately address the evolving threats that cyber thieves represent.
Here are some of the recommendations we put forward for consideration when reviewing the plan for Medical Device Safety:
Pre-market ‘hardening’ of Devices
Manufacturers should be required to ensure that their devices are up-to-standard where cyber security is concerned before releasing them into the market. There are various bodies from which the standard can be set. The Defense Information System Agency (DISA) or the Center for Internet Security (CIS) can be used as benchmarks for ‘hardening’ devices. This way manufacturers may be able to bypass the lengthy processes required to test and approve security updates once devices get into the marketplace.
Constant evaluation of Device connectivity
There should be a requirement that the manufactures set a clear connectivity path in their devices. This step is to help in monitoring any behavioral changes that are foreign and unwelcome. The users are also better able to understand the range of device performance on the network.
Standardized Communication by the Manufacturers
An organization deals with thousands of devices from different manufacturers, so imagine how difficult good communication will be. Today, providers are expected to contact the manufacturers about the known or expected vulnerabilities of their devices. This leads to a lot of time wasted in trying to ensure the security of the device environment. In some cases, manufacturers are being asked to come up with a timely resolution to a problem experienced. An effective process in risk mitigation would be to set up rules about the expected standards of communication between the manufacturers and the providers.
Accountability by the Manufacturers
Manufacturers should address the issues related to vulnerabilities. The devices should be tested and certified ready for use by the manufacturers and not the providers. Especially when it comes to system or software updates, the manufacturers of devices should be held accountable. The manufacturer is better positioned to test and approve their applicability or even make recommendations on their usage to their client base. This way, both parties are aware of who is accountable in case of a security breach.
Manufacturers should also be required to come up with a mechanism to monitor the performance of devices connected to the network on a full-time basis. This monitoring should be modified to suit all organizations whether small or big.
Consider the costs
The FDA’s plan should have factored in the amount of money that will be required to ensure this plan is carried out efficiently. For instance, the bandwidth required to store current data, devices, and patches are enormous and most providers cannot adequately handle it. Resource support is at the core of ensuring that medical devices are secure and continuously operate as expected.
Cybersecurity is becoming a serious topic especially when it concerns medical devices; people’s lives depend on them. If there’s a chance that they could be compromised, the stakeholders involved, including providers and manufacturers, should treat cybersecurity with the significance it deserves. The FDA is often relied upon to handle these important tasks, but in today’s world, it will require everyone’s assistance. The job is too big to leave to one organization.