FDA Tackles the Escalating Medical Device Cybersecurity Threats
Cybersecurity and data breaches have been in public spotlight in the past several years as a result of recurring cyber-attacks on numerous organizations, business, its customers and communities in general. Media have been actively discussing cybersecurity trends and looking at the rise of identity technologies and web intelligence.
According to the U.S. Department of Health and Human Services Office of Civil Rights, more than 170 million American health records have been exposed since 2009. Such exposures lead to data breaches, causing the healthcare industry losses exceeding $5 billion per year.
Recent hacks of hospitals and infiltrations into healthcare providers’ computer systems evidenced that healthcare organizations are largely unprepared to protect patient information against the continuously developing landscape of cyber threats.
Furthermore, the pervasive use of new healthcare technology and electronic medical devices escalated the threat of cyberattacks and patient information theft. Such medical devices store the vulnerable information and come in different shapes and forms. They can be wireless portable data-management devices like fit-bits, iwatches and ipads, or huge diagnostic machines used in hospitals like ICU monitors, MRI, ultra sound equipment, CT, PET, infusion pumps, ventilators and other. The flow of data from and to medical devices can put protected health information at risk, not only causing substantial financial losses, but also triggering violation of federal and state privacy regulations.
In response to the rising concerns, on October 1, 2018, the U.S. Food and Drug Administration has released a statement from its Commissioner Scott Gotlieb, on FDA’s efforts to strengthen the agency’s medical device cybersecurity program as part of its mission to protect patients. The announcement states that the FDA will provide guidance on how medical device manufacturers should build safety controls to protect against both directed cyber-attacks and non-deliberate breaches.
The FDA had previously published two guidance documents related to the management of cybersecurity in medical devices, in 2014 and 2016. The first guidance specifies the content of pre-market submissions and recommends that manufacturers integrate risk management into the development of medical devices and provide the FDA with certain documents when they submit for approval. The 2016 guidance outlines post-market management and recommends that manufacturers continually monitor cybersecurity for products already on the market to account for new threats and vulnerabilities. The new draft guidelines, per Mr. Gotlieb, will highlight the importance of providing customers and users with software and hardware components of a device that could be susceptible to cyber-attacks and will be released in the coming weeks.
Although the FDA guidance are advisory in nature and not enforced by law, failure to comply with these recommendations can result in penalties for unsafe products and privacy violation of privacy laws.
The Health Law Gurus will continue to monitor FDA’s releases and publications. Be sure to check for updates.
The information contained in this publication should not be construed as legal advice, is not a substitute for legal counsel, and should not be relied on as such. For legal advice or answers to specific questions, please contact one of our attorneys.