FDA Issues Medical Device Security Guidelines
The Food and Drug Administration (FDA) has just released medical device security guidelines for the use of medical devices in the healthcare industry.
The medical device security guidelines are contained within a report entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The report covers the management of cybersecurity in healthcare and is intended to help developers of portable medical devices to incorporate the necessary protections into their designs to keep data secure.
Cyberattacks on healthcare organizations are on the rise and the threat from hackers is now an all-time high. The value of data held by medical professionals and healthcare organizations make them highly attractive targets, and even more so considering the healthcare industry has been slow to implement safeguards in line with advances in technology.
A good example is the use of Smartphones in healthcare. Many HIPAA-covered entities allow healthcare workers to use their own Smartphones at work. BYOD (Bring Your Own Device) schemes can improve efficiency and productivity, but without security controls they are all but guaranteed to cause a HIPAA violation. One safeguard that can be used is a healthcare secure messaging app. The software ensures that messages are encrypted and cannot be read by unauthorized individuals. In spite of the fact that affordable technology exists to safeguard medical data, many healthcare providers have yet to install such a system.
The FDA has identified numerous areas where data security vulnerabilities exist, of which viruses and malware have been deemed to be the main concerns. Couple this with inertia when it comes to installing urgent security patches and updates, and equipment is highly vulnerable to attack – especially in the case of aging computer equipment.
The FDA may not be able to force the healthcare industry to improve security systems, but it can take action to ensure that new wearable devices and other gadgets adhere to strict security standards. The report should send a message to tech manufacturers that they must take medical device security seriously.
The medical device security guidelines build on the NIST framework which was introduced earlier this year in February, and provide further advice to companies to help them develop cybersecurity programs to minimize risk.
They suggest some of the security controls that should be adopted to improve cybersecurity risk in healthcare and how to secure data on medical devices. The medical device security guidelines also cover probable injuries that can result and the damages and losses that can be caused by data breaches. The guidelines urge manufacturers to consider these when developing privacy and security controls for their devices.
The guidelines divide each security control into five core groups, Identify, Protect, Detect, Respond, and Recover and cover what is required of manufacturers in each area. The FDA believes that cybersecurity is such an integral part of the Internet of Things that it is essential that the cybersecurity controls are built into the design of the devices right from the outset, and that security should be a core element of the design of any device that stores, records or transmits personal data. For this reason, cybersecurity plans now need to be included with pre-market submissions.
By treating security as an integral component of the viability and usefulness of the product it is hoped that the industry will develop robust security systems to afford the level of protection that healthcare data demands. After all, a medical device that transmits PHI or personal identifiable information that has no security controls is useless in this day and age, and would be unlikely to gain FDA approval.