Improved device security requires cooperation, collaboration

The security of medical devices has dramtically changed over the past 18 months ago and is “most keenly seen through incident response,” said Suzanne B. Schwartz, MD, MBA, of the FDA’s Office of the Center Director (OCD), Center for Devices and Radiological Health (CDRH). She spoke in Washington, D.C. at Safeguarding Health Information: Building Assurance through HIPAA Security, a program hosted by the Dept. of Health & Human Services’ Office of Civil Rights and the National Institute of Standards and Technology.

Incident response went from being very one-dimensional, she said, to security that has far greater breadth and depth. “We recognize the challenges for what they truly are. They span the total lifecycle of the product and cross the entire spectrum of healthcare,” she said.

Only a whole community approach to mobile device security can manage the obstacles, said Schwartz. “No one organization, no sole stakeholder is going to be able to address and solve these issues on their own.” The government needs the private sector to be part of the process of solution building and mobilize the community and the entire mobile device ecosystem. Many diverse stakeholders, from venture capitalists and regulators to professional societies and payers, have a stake in this space.

Three core concepts will advance better mobile device security, Schwartz said: awareness, preparedness and collaboration. “These are not standalone principles. They need to be integrated. They can’t be siloed efforts.”

While there already are expectations of manufacturers to consider these in product design, “they should be even further leaning forward as to how these devices are going to be used in the healthcare setting,” she said. Device manufacturers need to “anticipate security design controls that need to be built in, not bolted on as an afterthought.”

Everyone also needs to recognize, she said, that there is “no such thing as a medical device being risk free or risk proof. Risk can be mitigated and managed and there’s a responsibility to do so but one can never eliminate risk entirely.”

That’s important to acknowledge as the majority of encounters patients have today likely will include a networked medical device. However, there is a varied response to purchasing, installation and maintenance. “Every hospital is different with variable control over what’s placed on a network. There is inconsistent training and education on security risks.” But, she said she sees a trend toward improvement in these areas.

As her office looks ahead to premarket cybersecurity expectations, collaboration with federal partners and postmarket surveillance, “I can’t say enough how much depends on cooperation and collaboration. Cybersecurity in particular and the ability to strengthen critical infrastructure will rely heavily on that basic underpinning.”

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.