FDA issues final guidance to medical device makers on cybersecurity

In its final guidance issued last week, the Food and Drug Administration is requesting that device makers assess what information hackers might target in connection with their devices, how hackers might attempt to access the information, and how device makers intend to address these issues both before and after putting their products on the market.  In addition, FDA is requesting that device makers report in to the agency on a continuing basis regarding cybersecurity incidents that arise after product approval.

Medical devices currently on the market are considered to be relatively easy to hack, according to cybersecurity experts.  Cybersecurity and device usability, unfortunately, tend to exist in inverse relation so the challenge for device makers is to find a workable balance between the two.

See Modern Healthcare article at “FDA seeks cybersecurity assessments from medical-device makers,” the FDA press release, and the final guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” online and in pdf form.

Computer viruses in medical devices: who should bear the costs for combatting? FDA issues warning, takes action

Computer virus infections of medical devices continue to be a serious issue, keeping healthcare provider IT departments busy removing malware.  (See our October 2012 blog post "Computer viruses on hospital medical devices: a growing concern; possible solutions").  The FDA has issued a warning regarding this threat, and is now asking, although not yet requiring, both healthcare providers and medical device manufacturers to take additional steps to heighten cybersecurity.

Via Modern Healthcare:

The Food and Drug Administration issued a notice on Thursday asking medical device manufacturers and healthcare facilities to introduce controls that would guard against cyberattacks on medical equipment and hospital networks.

Because many medical devices connect to the Internet, they are at risk of being infected with computer viruses that can affect the way they operate, putting patients' health in jeopardy. And devices and networks that are not properly secured leave them and the data they contain vulnerable to unauthorized access and use.

“Despite the fact that there has been no patient harm as the result of either inadvertent or intentional cybersecurity breaches, we understand FDA's desire to be cautious in this area,” Janet Trunzo, senior executive vice president of technology and regulatory affairs for the Advanced Medical Technology Association, said in a statement. “Our industry provides many life-saving or life-enhancing devices. So, it is important for both the manufacturers and the users of these devices to be aware of the potential for cybersecurity breaches.”

The FDA is recommending that manufacturers implement security controls such as user authentication, stronger passwords, physical locks and card readers. Other suggestions include security patches and restrictions on updates to authenticated code, as well as design approaches that maintain a device's critical functionality even in the event of an attack or breach.

Healthcare facilities, according to the FDA, should restrict unauthorized access to networks and devices, update antivirus software and firewalls, monitor network activity, and also develop strategies to maintain critical functionality when security is compromised.

The FDA is also requesting that manufacturers and healthcare personnel report cybersecurity events to MedWatch, their Safety Information and Adverse Event Reporting program, so as to identify vulnerabilities in an effort to reduce future incidents.

By Rachel Landen

FDA warns about risk of cyberattacks on medical equipment, hospital networks,” Modern Healthcare  (June 14, 2013)

Computer viruses on hospital medical devices: a growing concern; possible solutions

Medical device security experts report increasing issues with computer viruses on hospital medical devices.  Problem sources include inconsistent and/or incompatible security measures, as well as outdated operating systems.  The Government Accounting Office has sounded the alarm, requesting the FDA to address the matter.

See Forbes article at "Hospital Medical Devices 'Rampant' With Computer Viruses".

iPad EHR app certified for meaningful use

In a sure sign of the times, Drchrono, which offers a free electronic health record platform on the iPad, became the first iPad app to receive official ONC-ACTB certification. According to Healthcare IT News, "the drchrono EHR platform has been awarded ambulatory certification (ONC-ATCB) as a Complete EHR by San Luis Obispo, Calif.-based InfoGard, an Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB)". The app tracks a provider's use of the EHR and offers them key metrics to report to CMS, and includes many other features, such as billing and e-prescribing. 

This is a huge step for a mobile EHR app, but its maker's regulatory hurdles may not be over.  Last week, we reported on the FDA potentially regulating the market of mobile healthcare devices and applications. Electronic and personal health records could be exempt from such regulation, unless the FDA adopts a broad definition of "clinical decision support," which includes decisions based on the information given to a provider via the EHR app or device.

Moreover, use of such mobile apps or devices in healthcare presents providers with a very long list of legal concerns. Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software.

"iPad EHR gains meaningful use certification," Healthcare IT News (July 29, 2011).

"FDA's mobile medical app guidelines get everybody talking," Healthcare IT News (July 26, 2011).


FDA to regulate some mobile health applications

On July 19, 2011, the U.S. Food and Drug Administration (FDA) issued a guidance regarding the agency's plans to regulate select software applications intended for use on mobile platforms (mobile applications or "mobile apps"). According to the Washington Post, the FDA proposed to regulate only those mobile apps which: (1) act as an accessory to a regulated medical device; (2) turn a mobile device or gadget into a regulated device; and/or (3) make suggestions regarding a patient's diagnosis or treatment. Via the Post:

For example, an app that allows radiologists to view X-rays on an iPad or that turns an Android phone into a heart monitor would be regulated. But an app that stores medical records or provides training videos to physicians would not.

'We wanted to make sure that we are consistent in regulating medical devices so nothing has changed,' [FDA policy adviser Baku] Patel said. If 'somebody makes a stethoscope on an iPhone, it doesn’t change the level of oversight we have of a stethoscope.'

FDA's guidance does not establish any legally enforceable responsibilities, but describes FDA's current thinking on this topic and should be viewed only as recommendations.  The agency will collect input from manufacturers and healthcare providers over the next 90 days.

You can view the full guidance by clicking here.