The Food and Drug Administration is working to dispel the myth that medical device cyber vulnerabilities cannot be patched or otherwise mitigated without the agency's approval.
The FDA has produced a fact sheet to help sort through this and other myths about its medical device cybersecurity oversight, says Suzanne Schwartz, M.D., associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.
"We have said over and over again that changes [to devices] that are being made solely to address cybersecurity - what we call routine updates and patches - one does not [need] to resubmit or recertify with the FDA," she explains in an in-depth interview with Information Security Media Group. "What the manufacturer does need to do is ensure that the update or patch that is going to be deployed is appropriately validated and documented within the manufacturers' own records."
The FDA does not want to be "a roadblock that would in some way slow down the process of advancing the security within the entire ecosystem at large," she adds.
'Open Door' Policy
Still, the FDA welcomes inquiries from device manufacturers and others whenever there is lingering confusion related to medical device cybersecurity issues, she says.
"We continue to underscore for medical device manufacturers that any time that there is some question or lack of clarity around what our stance is, or what our guidance says, we welcome those questions," she says.
The FDA's post-market cybersecurity guidance, which was released in December, explains when manufacturers would need to engage with the FDA, such as when dealing with "uncontrolled risk vulnerabilities," she points out.
In the interview (see link to audio below photo), Schwartz also discusses:
- Why the FDA's "non-binding" pre-market and post-market cybersecurity guidance for medical device manufacturers is not actually voluntary;
- Why more medical device makers are frequently consulting with the FDA about cybersecurity as they design and develop new products;
- The FDA's potential interest in examining new security technologies, including blockchain.
- The agency's medical device cybersecurity plans for 2017 and beyond.
As associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, Schwartz assists in directing the development, execution and evaluation of the center's biomedical science and engineering programs. She previously served as the director of emergency preparedness/operations and medical countermeasures at CDRH. She also served as co-chair of the Government Coordinating Council for the Healthcare and Public Health Sector. Before joining the FDA, Schwartz served on the general surgical faculty at the Weill Cornell Medical Center in New York.