On October 2, 2014 the FDA issued a guidance that reflects current thinking on management of
cybersecurity in medical devices. Device manufacturers are encouraged to consider potential threats of hackers and security breaches in the research, design, and development of medical devices. The FDA further recommends incorporating device protection plans into premarket submissions. This has the potential to increase costs in all phases of production.
FDA states that the responsibility of securing device functionality and safety should be shared between stakeholders, device manufacturers, healthcare facilities, patients, and providers. How will this responsibility be divided? Who is ultimately responsible for breaches or malfunctions?
In devices such as ventilators, patient monitors, or surgical equipment; a lapse in security may place patients at risk for illness, injury or death. It is recommended that device makers complete a risk analysis to identify assets, threats, and vulnerabilities. Who is responsible for interpreting and acting upon the results of this risk assessment? Does this responsibility lie solely with the device maker? Or should this be the responsibility of the care provider or doctor, how about the patient?
Further recommendations in this guidance center on threat identification and pre-developed response plans. FDA is careful to strike a delicate balance between device security and access. Devices must be made to be secure but also must be readily available and accessible to healthcare providers. What if a doctor needs to immediately access a device that he or she has does not have a user ID for?
Where does the balance lie between device security and access?
Who is responsible for ensuring cybersecurity in medical devices?
Do current devices already have cybersecurity features incorporated? Are these sufficient for patient protection?