The confluence of medical technology and wireless communications has led to some health care innovations that a decade ago would have been considered science fiction. Pacemakers that transmit real-time data to physicians hundreds of miles away; ultrasounds on smartphones; insulin pumps that connect to glucose monitors to provide seamless delivery of care. These are just a few of the innovations that are now possible, allowing physicians and hospitals to provide more efficient and more effective care.
But like all interconnected devices, medical devices are vulnerable to cyberthreats. Unfortunately, TV shows and movies, in the interest of creating outlandish plots, expose viewers to over-the-top portrayals of medical devices being hacked. One memorable example of this was the TV show “Homeland,” depicting an assassination attempt on the vice president of the United States by hacking into his pacemaker.
These often-unrealistic depictions spread unnecessary fear of the potential cybersecurity threat to medical devices, without highlighting the important work of the FDA, device manufacturers and health care providers to anticipate and mitigate these threats. That doesn’t mean that the threat isn’t serious. Patient safety is always our primary concern, and we take the threat of any cybersecurity exploitation seriously.
America’s medical technology companies prioritize patient safety. Medical technology companies continuously assess device security because risks evolve daily. They address cybersecurity throughout the product lifecycle, including the design, development, production, distribution, deployment, maintenance and disposal of the device and associated data.
Similarly, manufacturers proactively manage medical device cybersecurity. This includes routine device cyber maintenance, assessing post-market information, characterizing vulnerabilities based on risk and implementing necessary actions in a timely manner. FDA regulations require comprehensive risk management programs, and failure to comply results in penalties.
Because cybersecurity is ever-evolving, the medical technology industry collectively developed its own set of principles. These ensure device manufacturers build a cybersecurity program based on the best available information, such as FDA guidance, National Institute of Standards and Technology publications, and consensus-based standards.
We also recognize that cyberthreats require the cooperation and collaboration of multiple stakeholders in the health care ecosystem. Medical technology companies, hospitals, physicians, IT professionals, providers, regulators and patients all need to work together so that the safety and integrity of interconnected medical devices is not compromised due to cyberthreats.
The FDA has worked collaboratively with our industry and the broader health care community to ensure medical device cybersecurity is implemented throughout all stages of product design and use. While manufacturers have long included cybersecurity considerations in pre-market development and post-market surveillance of devices, the agency’s guidance provides further instruction and clarification for medical technology companies. The FDA should also be commended for its work engaging with other federal agencies, including the Department of Justice, the FBI, the Department of Homeland Security and the National Institute of Standards and Technology.
Open communication is paramount to combatting cyberthreats. The medical technology industry has, with the FDA’s encouragement, collaborated with public-private organizations to establish a medical device information sharing and analysis organization. Like systems used in the energy and finance sectors, this program provides a streamlined mechanism for companies to submit and share information concerning cybersecurity-related issues.
The convergence of medical technology and communications are transforming health care. Our industry is committed to ensuring progress continues by rigorously addressing cyberthreats.