FDA Official: More Medical Device Vulnerability Discoveries Are LikelyNew Cybersecurity Guidance for Device Manufacturers Coming Soon
The Food and Drug Administration expects more medical device security vulnerabilities to come to light in the year ahead as a result of improved awareness of cybersecurity issues, says Suzanne Schwartz, M.D., a senior FDA official. And the agency will soon issue more guidance for medical device manufacturers addressing the cybersecurity of their products already in use, she says.
"We would expect that many more vulnerabilities will come to light because as you raise awareness of an issue and people are paying attention to it, there will be more vulnerabilities found and identified," she says in an exclusive interview with Information Security Media Group. Her comments came after her Sept. 2 presentation at an annual HIPAA security conference in Washington, D.C., hosted by the National Institute of Standards and Technology and the Department of Health and Human Services.
"We would also anticipate that with the steps that we have been taking, and with the approach with collaboration [among stakeholders in the healthcare sector], there will be a more proactive posture in dealing with medical device cybersecurity. So the emphasis on vulnerability management ... and coordinated vulnerability disclosure is an area where we expect to see progress in the next 12 months," Schwartz adds.
Helping to build that awareness are various collaborative efforts underway in the healthcare sector, including the FDA working with the National Institute of Standards and Technology to adapt the NIST security framework for use with medical devices, as well as guidance that the FDA issued last year urging medical device makers to build cybersecurity into their design and life cycles of their products, Schwartz notes.
New Guidance in the Works
More FDA guidance for medical device makers is on the way, hopefully by the end of this year, she says. "We are working on articulating our policies in respect to post-market expectations for medical device makers" to address cyber vulnerabilities discovered after their products are already being used by healthcare providers, Schwartz says.
Despite the vulnerabilities in medical devices uncovered by independent researchers - including flaws spotlighted in a recent FDA alert about certain infusion pumps from manufacturer Hospira - it's critical to note that so far, the FDA has not received reports of patients actually being harmed by cyber-attacks on devices, Schwartz stresses.
"It's important to emphasize that to date, FDA have never received [a report of], and is unaware of any actual exploit of a medical device that has happened in use or in a clinical environment," she says. "The demonstrations of such capabilities have been done in a controlled laboratory setting."
In the interview, Schwartz also discusses:
- Why collaboration among independent researchers, who look for cyber vulnerabilities, and medical device manufacturers is important;
- Why some medical device makers become defensive when they are informed about cyber vulnerabilities discovered by independent researchers;
- Progress that the FDA is seeing in the cybersecurity of medical devices.
As director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health, Schwartz represents the FDA across several inter-agency initiatives and integrated program teams on chemical, biological, radiological and nuclear threats, natural disasters and emerging infectious diseases. She also serves as co-chair of the Government Coordinating Council for the Healthcare and Public Health Sector. Her efforts in this role are mainly focused on strategic engagement of sector stakeholders to strengthen cybersecurity for critical infrastructure. Before joining the FDA, Schwartz served on the general surgical faculty at the Weill Cornell Medical Center in New York.