This is the most recent move in the FDA’s attention on medical device software, for medical devices safety which started in the year 2002 when the agency published its Guidance on Software Validation. Since that time, the utilization of software in medical devices has expanded and turned out to be more complex.
The FDA has moved towards the management of cybersecurity risks from both a premarket position and also a postmarket management point of view. This market development, alongside the developing sensitivity on cyber safety of medical devices, has made the FDA direct its attention toward cybersecurity and protecting public health from vulnerabilities introduced by the expanding utilization of software in medical devices.
As technology advances, worldwide healthcare services are progressively getting digitized and connected to the internet, which takes into consideration superior integration between services, devices, caregivers, and patients. This availability improves the portability of patient information and empowers new avenues of patient-centric care, yet additionally opens up the potential for data theft and malicious device tampering as per the management of cybersecurity in medical devices.
For example if we talk about the data theft then we can see this news of Abbott Laboratories that was in April 2017 which reviewed certain implantable cardioverter defibrillators (ICDs) and cardiac resynchronisation therapy defibrillators (CRT-Ds) so as to issue a restorative firmware fix that eliminates with a few security defects, including the life-threatening ability for outsiders to get to access compromised devices and rapidly deplete their batteries or alter their functional outputs. The FDA approved this recall and claims that there are no known reports of patients being harmed due to these cybersecurity flaws (FDA, 2018b).
Medical device vulnerabilities broaden well beyond wireless devices. Recently, a research group identified computed tomography (CT) scanners as an essential purpose of vulnerability in hospitals and showed that the devices’ operations could be maliciously altered. The report demonstrates that the CT device exploit could prompt radiation overdose or data manipulation.
Similar to the case with CT scanners, numerous devices are connected to a computer or have a computer embedded inside them, which opens up a large group of vulnerabilities if their operating systems are not up to date. These operating system exploits can be especially disruptive, as was found in the 2017 cyberattack called “WannaCry ransomware cyberattack“.
This assault was spread worldwide and had a significantly negative effect on National Health Service (NHS) hospitals in the UK, some of which were forced to divert patients. Following WannaCry, NHS Digital evaluated 200 trusts and found that every one of them was still vulnerable to further attacks, showing a critical requirement for regulatory bodies to completely address the issue of cybersecurity.The FDA has recently released a press statement that laid out the agency’s commitment to upgrading the medical device safety. In this announcement, the FDA emphasised both the significance of dealing with life cycle of devices and the pressing need to create robust resources to defend against cyberattacks. As devices keep on becoming more complex, integrated, and connected, it is fundamental that they are secured from cyberattacks over their entire lifecycle to ensure that they are safe to use.