Whereas in the past, the term “medical device” referred to instruments such as stethoscopes and X-ray machines, today it refers to something a bit more hi-tech. In the wake of increasingly interconnected systems and devices, the Food and Drug Administration have created recommendations for manufacturers of such devices to prevent cybersecurity risks to patient health information.

woman with smartphoneShare on Pinterest
Interconnected systems and devices such as smartphones with health apps make patient data more readily available for doctors, but are such devices secure?

A major benefit of health care in the 21st century is that patient health data is more accessible – both to the physician and to the patients themselves.

Smartphone health apps are becoming increasingly popular, and Medical News Today recently reported on the release of the Apple HealthKit, which enables patients to automatically share data from their blood pressure app with their doctor.

Though this free flow of information provides better insight into a patient’s health, could it also present risks in terms of cybersecurity? The Food and Drug Administration (FDA) address this issue in their guidance recommendations for manufacturers of medical devices, which urges them to consider cybersecurity risks when designing and developing such devices.

Previous studies have shown that more interconnected and interoperable devices can improve patient care and make health care systems more efficient. MNT recently reported that an app tracking patients’ vital signs has led to falling death rates in UK hospitals.

However, like computer systems, medical devices can be open to security breaches, which could affect safety and effectiveness of the device itself. But the FDA say that by considering potential cybersecurity risks while designing the devices and software updates, manufacturers can reduce this risk.

As part of the new guidance, the FDA recommend that manufacturers submit documentation to the organization about risks identified and controls in place to mitigate such risks in their devices.

Additionally, the guidance strongly recommends that manufacturers submit plans for providing patches and updates to operating systems and medical software.

Commenting on their guidance, Dr. Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA, says:

There is no such thing as a threat-proof medical device. It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”

The organization says their concerns about such cybersecurity weaknesses include malware infections on medical devices, smartphones, tablets or computers that are network-connected and are used to access patient data.

Other areas of vulnerability include unsecured or uncontrolled password distribution, failure to provide adequate security software updates and patches to medical devices and networks, and “off-the-shelf software” designed to prevent unauthorized access to networks or devices.

Though the FDA have released these recommendations, they emphasize that they do not have any indication that specific devices or systems have been targeted, and they also do not have any reports that patients have been harmed by cybersecurity breaches.

However, the organization remains vigilant about cybersecurity vulnerabilities and public health impacts that could occur as a result. As such, the FDA have been working with other federal agencies and the medical device industry to communicate these potential vulnerabilities to stakeholders.

Later this month, the FDA will hold a public workshop in Arlington, VA, to discuss how organizations and individuals can work together to improve security of medical devices.

MNT has recently reported on a number of wearable self-monitoring devices.