FDA 'playbook' aims to prevent hacking of medical devices


The FDA has unveiled new guidance outlining how healthcare organisations can prepare their medical devices and staff in the event of a security breach.

The US Food and Drug Administration (FDA) is striving to be prepared and responsive to any cyber vulnerabilities identified. It has launched a cybersecurity “playbook” aimed at healthcare delivery organisations to focus on promoting cybersecurity readiness.

Scott Gottlieb

FDA commissioner, Scott Gottlieb, issued a statement in collaboration with the non-profit Mitre Corporation, which manages federally funded research and development centres that support several US government agencies.

Gottlieb’s statement read: “The threat of cyber attacks is no longer theoretical. Cyber criminals and adversaries can inflict significant harm on networks through relatively simple methods, like emails or bugs known as malware."

He noted that there have already been far-reaching and negative consequences of successful cyber campaigns on organisations.

“Victims include financial institutions, government agencies, and now health care systems. Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted.”

He stressed that the FDA was not aware of reports of unauthorised users exploiting a cybersecurity vulnerability in a medical device that is in use by a patient, but warned that the risks exist.

The FDA also announced two memoranda of understanding (MOA) – agreements bringing together multiple stakeholders to allow for increased information sharing and transparency around cybersecurity risks.

It is also sharing premarket and postmarket guidance so manufacturers can consider potential risks in the design and development stage of a medical device, and also so that they can act swiftly should a security breach occur once the product is on the market and in use.

Additionally, the FDA is forging ahead with its plans to create a Centre of Excellence for Digital Health, he said.

This will “establish more efficient regulatory paradigms, consider the building of new capacity to evaluate and recognise third-party certifiers, and support a cybersecurity unit to complement the advances in software-based devices”.