Improved device security requires cooperation, collaboration
The security of medical devices has dramtically changed over the past 18 months ago and is “most keenly seen through incident response,” said Suzanne B. Schwartz, MD, MBA, of the FDA’s Office of the Center Director (OCD), Center for Devices and Radiological Health (CDRH). She spoke in Washington, D.C. at Safeguarding Health Information: Building Assurance through HIPAA Security, a program hosted by the Dept. of Health & Human Services’ Office of Civil Rights and the National Institute of Standards and Technology.
Incident response went from being very one-dimensional, she said, to security that has far greater breadth and depth. “We recognize the challenges for what they truly are. They span the total lifecycle of the product and cross the entire spectrum of healthcare,” she said.
Only a whole community approach to mobile device security can manage the obstacles, said Schwartz. “No one organization, no sole stakeholder is going to be able to address and solve these issues on their own.” The government needs the private sector to be part of the process of solution building and mobilize the community and the entire mobile device ecosystem. Many diverse stakeholders, from venture capitalists and regulators to professional societies and payers, have a stake in this space.
Three core concepts will advance better mobile device security, Schwartz said: awareness, preparedness and collaboration. “These are not standalone principles. They need to be integrated. They can’t be siloed efforts.”
While there already are expectations of manufacturers to consider these in product design, “they should be even further leaning forward as to how these devices are going to be used in the healthcare setting,” she said. Device manufacturers need to “anticipate security design controls that need to be built in, not bolted on as an afterthought.”
Everyone also needs to recognize, she said, that there is “no such thing as a medical device being risk free or risk proof. Risk can be mitigated and managed and there’s a responsibility to do so but one can never eliminate risk entirely.”
That’s important to acknowledge as the majority of encounters patients have today likely will include a networked medical device. However, there is a varied response to purchasing, installation and maintenance. “Every hospital is different with variable control over what’s placed on a network. There is inconsistent training and education on security risks.” But, she said she sees a trend toward improvement in these areas.
As her office looks ahead to premarket cybersecurity expectations, collaboration with federal partners and postmarket surveillance, “I can’t say enough how much depends on cooperation and collaboration. Cybersecurity in particular and the ability to strengthen critical infrastructure will rely heavily on that basic underpinning.”