FDA's Schwartz: Devices without vendor support 'enormous challenge' for cybersecurity

Medical devices no longer supported by the manufacturer present "an enormous challenge," the FDA's Suzanne Schwartz, M.D., tells HealthcareInfoSecurity.com in an interview.

The risk created by these devices will be among the topics discussed at a U.S. Food and Drug Administration workshop on medical device cybersecurity to be held Oct. 21-22.

The workshop's goal is to build collaboration among stakeholders, to create a common understanding of what the challenges are and what solutions might be, according to Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health..

On Oct. 1, the FDA published final cybersecurity guidance for medical device makers. It calls on device makers to document identified risks and any controls developed to lessen such risks. FDA also says it wants to see manufacturers' plans for patching and updating medical software and operating systems.

"Rather than looking at cybersecurity as a measure that would be bolted on in a late phase, we're asking for manufacturers to consider these matters in the initial design and development to enable a more robust mitigation of what those risks would otherwise look like," Schwartz said in the interview. 

Though the guidance does not mandate such an approach, the FDA will expect it, Schwartz said. Manufacturers can present an alternative approach, but have to provide evidence that it meets all the regulatory requirements.

However, the FDA is still stressing that manufacturers do not need to submit devices for re-approval when they issue software updates or patches to address potential vulnerabilities "unless there is a very, very specific concern toward the impact of that patch or update affecting the functionality of the device."

In an interview with FierceHealthIT, Mac McMillan, chairman of the HIMSS Privacy & Security Policy Task Force and CEO of IT security consulting firm CynergisTek, expressed concern about hospitals using unsupported medical devices, particularly those using Windows XP, which Microsoft stopped supporting in April.

To learn more:
- listen to the interview