FDA is Very Worried Device Cybersecurity and So Should Be We

Last week FDA hosted its first conference on cybersecurity of medical devices where more than 100 experts discussed literally every aspect of the security of internet connected medical devices and healthcare delivery organizations (HOD), and the take home message was that medical devices are extremely prone to risk of hacking and there is long way to go before this risk can be reduced. Around the same time an independent survey of more than 550 industry experts painted an even dire picture of the current status of the protection of internet-connected devices and HODs. About half of the medical device manufacturers do not follow the FDA guidance on cybersecurity, and about two-thirds of all medical device manufacturers believe that their devices could be hacked and hijacked illegally causing potential harm to patients using them. About one-third of medical device manufacturers have already experienced adverse effects to patients due to insecure medical devices. Yet only about 17% of medical device manufactures are taking significant steps to prevent attacks. These numbers alone should scare any patient looking to use a Bluetooth or wireless connected medical device and force to carefully verify that one got the right prescription. In the light of these numbers, one would wonder about the liability of such manufacturers of risky medical devices. Why has FDA not enforced its own guidance on the industry and why does the Agency allow high-risk medical devices in the market in the first place? The rise of devices connected via internet, weather with wires or wirelessly, has been much faster than the normal pace of new regulations and guidance documents. The main reason for the rise in IoT (Internet-of-Things) devices is the rapid development of Smartphones and high-speed internet. Each year, we get devices that are capable to doing far more than the immediately preceding device. For FDA to stay ahead of the curve, it needs technological mastery similar to that in the Silicon Valley. FDA announced a plan a month ago create a Digital Health Unit to develop internal technical expertise, and streamline the agency’s software review process and regulation of medical devices. However, it may be hard to compete with an industry bigger and richer than any the country has ever seen. That said, IoT devices are here to stay; it is not feasible to move back technological advances, neither is it reasonable to not use improved platforms. The ransonware attack last month highlighted common issues with cybersecurity that could be addressed easily. Cybersecurity is directly linked to the cyber-hygiene practiced by the users. It cannot be just FDA; the medical device manufactures need to do their share to educate about the current guidance, and even the end-users, the patients, need to carefully comply with good cyber hygienic practices. It’s a joint effort.