HIMSS 2017: FDA debunks 4 medical device cybersecurity myths

At the HIMSS conference, an FDA official turned a session on medical device security into a game of myth-busting.

ORLANDO, Fla.—Seth Carmody, senior program manager for medical device cybersecurity at the Food and Drug Administration (FDA), was scheduled to talk about the agency’s recently released postmarket cybersecurity guidance at the 2017 HIMSS conference in Orlando. Instead, he opted to do some regulatory myth-busting.

Carmody said the medical device industry is focused on fulfilling its intended use, which is primarily directed toward patient care. But this “creates a soft underbelly” for cybersecurity vulnerabilities that can impact patient safety and create organizational risk. Identifying and resolving vulnerabilities requires a collaborative approach from regulatory agencies, providers and device manufacturers. Last year, the FDA said medical device cybersecurity was one of its key priorities heading into 2017.

RELATED: FDA device guidance: Start with NIST cyber framework

After warning device manufacturers at the session to "prepare themselves," Carmody, turned the HIMSS17 session into a game of “fact vs. myth,” outlining some of the misconceptions surrounding the FDA’s regulatory oversight when it comes to medical device cybersecurity.

Myth: The FDA is solely responsible for medical device cybersecurity.

In fact, several federal agencies are responsible for regulating medical device cybersecurity risks including the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS). Carmody said collaboration between federal agencies is a necessity, not a “kumbaya thing.”

Myth: Medical device manufacturers can’t issue updates or cybersecurity fixes without FDA approval.

Manufacturers can update a device at any time for any reason, according to Carmody, so routine cybersecurity updates do not need FDA approval. However, the FDA’s premarket guidance states that security updates issued to fix vulnerabilities that could cause adverse health consequences or death are not considered routine updates.

Myth: The FDA tests medical devices for cybersecurity vulnerabilities.

As Carmody pointed out, the FDA itself doesn’t test devices at all. According to the FDA’s guidance, “postmarket cybersecurity information may originate from an array of sources including independent security researchers, in-house testing, suppliers of software or hardware technology, health care facilities, and information sharing and analysis organizations.”

Myth: Healthcare organizations can’t patch or update a device for cybersecurity reasons.

Although the FDA prefers a collaborative approach to device updates, organizations can issue a patch or update with the understanding that they assume the risk associated with that update. Most organizations, for example, are comfortable initiating a simple Window patch update on their own, while other updates are carry greater risks.

“It gets a little more dicey when [a device] touches patients,” Carmody said.

RELATED: St. Jude devices vulnerable to cyberattack say Muddy Waters, MedSec

Carmody also touched on the vulnerabilities associated with the Internet of Things (IoT), noting that the FDA does not have an IoT classification. However, he said healthcare organizations should “apply security liberally” to any device.

Update: A previous version of this article stated that most IoT devices are exempt from FDA oversight. An FDA spokesperson clarified that although the agency does not have an IoT classification, any device that meets the FDA's definition of a medical device is potentially subject to regulation. Exemptions to certain regulations are based on the risks associated with the device. Information on device classification and exemptions can be found here.