Security must be baked into med devices, report stresses

Security must be a priority from the outset of medical device creation, as opposed to a tacked on afterthought, a new report published this week stresses.

The report, developed by the Atlantic Council in conjunction with Intel Security, also calls for improvements to public-private and private-private security collaborations, as well as an "evolutionary change of the regulatory approval paradigm" for medical devices.

"Adding security features to products after their initial rollout is a losing battle," the report's authors say. "It is simply too costly and ineffective to try to secure systems already in the possession of the end user."

At an event unveiling the report in the District of Columbia on Wednesday, Suzanne Schwartz (pictured), director of emergency preparedness, operations and medical countermeasures at the U.S. Food and Drug Administration, spoke on a panel about the need to "bake security" into the design of medical devices. She added, however, that the possibility of being able to eliminate all risk does not exist.

"That's why everything is a risk-related decision," Schwartz said. "That's how the FDA regulates drugs and devices. You're never going to eliminate all risk; you're never going to eliminate all vulnerabilities. The idea of being able to manage that risk appropriately," is the best approach, she said.

Regarding making changes to the regulatory approval process, the report's authors suggest possibly streamlining the process. Some device makers, they say, "push old technologies and stifle innovation," knowing that the old tools will gain FDA approval. "This can discourage manufacturers from innovating, which can actually result in decreased network security," the authors say.

They add that the regulatory process should encourage both security by design and the ability to patch such tools. Schwartz, reading directly from cybersecurity guidance published by the FDA for medical device makers last fall, clarified during the discussion that the agency typically won't review or approve changes made to devices solely to strengthen cybersecurity.

"Our guidance actually speaks to that," she said. "In terms of debunking this myth that, every time a software update or a patch needs to happen that a company would need to come in to the FDA with a new 510(k) or a new submission, that is not the case."

To learn more:
- here's the report (.pdf)