With the rapid advancement in technology, the medical devices have been upgraded with technology to ease the performance of the medical devices. Really it has proved to be a boon in medical industry and the devices are been readily used by the hospitals, nursing homes and individuals at home. The medical services have undergone major improvement due to upgraded technology but simultaneously, the devices operating on the network is vulnerable to cyber-attacks. Intrusions by hackers have been noticed though they have not been successful in invading the devices and no loss of life or complications have been reported so far. The Food and Drug Administration (FDA) concern rose on the medical devices operated by networking or software programs and FDA drafted the guidelines for the manufacturer’s medical devices in October 2014 to secure Medical Devices Security.
The Guidelines of FDA to Protect Medical Devices from Cyber-attacks.:The concern was legitimate in the wake of cybercrimes gaining strength in cyberspace and here the concern was of the patients receiving treatments to rescue them from medical emergencies and vulnerabilities. FDA framed guidelines for the manufacturers on pre supply of devices and post supply lifelong maintenance and risk management to safeguard the equipment’s from cybercrimes.
Effective Premarket Cyber-security Guidelines:The manufacturers requires to take the responsibility of the functioning of devices throughout the life cycle of the medical device and their responsibility does not cease post supply. The software should not malfunction and it should be protected with strong password and upgraded in routine check-ups. The devices should have built in cyber security controls when they design and develop the product and it should be continuously monitored by them. When they float the devices in the market. Entire responsibility of the medical devices rest on the manufacturers and so the manufacturers require to be proactive to programme the security of medical devices. FDA recommends that manufacturers should define and document the process for assessing the cyber security vulnerabilities for their devices.
- FDA insists on efficient, timely and ongoing cyber security risk management for marketed devices by manufacturers. The users should be provided with relevant information on the device on how to cope with residual risks if any so that appropriate steps can be taken to mitigate the risk and make decisions for the further use of the device taking into consideration Medical Devices Security.
- FDA insists that the manufacturer should be a member of Information Sharing and Analysis Organizations (ISAO) which shares vulnerabilities and threat that impacts medical devices. The manufacturer has followed the documented guidelines of ISAO and it has been cross examined by the ISAO.
Effective Postmarket Cyber-security Guidelines:The FDA recommends that manufacturers require handling cyber security risk analyses which includes threat modelling for each of their devices and to update those analyses over time. Threat modelling is a procedure for optimizing Network/Application/Internet Security by identifying objectives and vulnerabilities, and then disclosing the measures to prevent the impact of, threats to the system. Threat modelling provides a framework to assess threats from malicious use.Manufacturers require to validate the software changes under the Quality System regulation.
Conclusion:The guidelines of FDA will go a long way in controlling the risk of cybercrimes and it is not the sole responsibility of the manufacturer to control the devices post supply rather the IT team, technicians, healthcare IT and networking team should take immense care to protect the devices from cyber threats. In case of any compromise found on this line should be immediately reported to the manufacturers and remedial action to control should be taken immediately for Medical Devices Security.