The Food and Drug Administration wants to stop cybersecurity threats to connected medical devices through regular patching.
As part of its Medical Device Safety Action Plan, the agency wants software and firmware connected to such devices to be able to be patched on an ongoing basis.
“To avert potential risk, cybersecurity needs to be included in product design and development, including capabilities that enable device patching and updating in a timely way,” the plan states. “Appropriate threat modeling and premarket testing needs to be conducted to assess the adequacy of security for the device’s use environment.”
The plan also highlights the importance of sharing information to mitigate cybersecurity, saying that it frequently collaborates with DHS about cybersecurity vulnerabilities. It also states that the FDA has been “taking steps towards creation of a collaborative, multi-stakeholder environment that fosters communication about cybersecurity vulnerabilities that may affect the safety, effectiveness, and security of medical devices, or the integrity and security of the surrounding healthcare IT infrastructure.”
The agency says it has been working with external partners to improve the cybersecurity of connected devices, through several initiatives including the establishment of Information Sharing Analysis Organizations.
The plan also proposes setting up a CyberMed Safety (Expert) Analysis Board (CYMSAB), a public-private partnership that would complement existing device vulnerability coordination and response mechanisms and serve as a resource for device makers and FDA. Its functions would include assessing vulnerabilities, evaluating patient safety risks, adjudicating disputes, assessing proposed mitigations, serving in a consultative role to organizations navigating the coordinated disclosure process, and serving as a “go-team” that could be deployed in the field to investigate a suspected or confirmed device compromise at a manufacturer’s or FDA’s request.