FDA Looking at Gaps in the Cybersecurity of Medical Devices

Earlier this week, the US Food and Drug Administration (FDA) announced that it would be hosting a two-day Public Workshop entitled "Moving Forward: Collaborative Approaches to Medical Device Cybersecurity."

The workshop will be hosted at FDA on January 20-21, 2016, from 9:00 am – 5:30 pm. The agenda for the meeting has not yet been posted.

FDA will host the meeting in collaboration with the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services (HHS), and the Department of Homeland Security (HHS). The agencies are seeking to bring together diverse stakeholders to discuss complex challenges in medical device cybersecurity that impact the medical device ecosystem. The purpose of this workshop is to:

• highlight past collaborative efforts;
• increase awareness of existing maturity models (i.e., frameworks leveraged for benchmarking an organization’s processes) which are used to evaluate cybersecurity status, standards, and tools in development; and
• engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.

As we previously reported, FDA has increasingly been paying attention to medical device cybersecurity, with the agency issuing its first public Safety Communication about cybersecurity for an infusion pump in May 2015. In fact, the announced workshop comes only a few days after a report from Forrester Research predicted that there may be an increase in attacks on personal medical devices, or as the researchers referred to as "ransomware."

Given that FDA has already issue guidance on cybersecurity considerations for premarket design of medical devices, it will be interesting to see whether this public workshop will focus on FDA's expectations for postmarket cybersecurity, including what standards and expectations the agency will have for industry and related stakeholders. This discussion and the timing is particularly important given that healthcare systems are becoming increasingly interconnected, including through the use of electronic health records (EHRs) and various other forms of health information technology (HIT) and clinical decision support.