Why FDA's Device Security Draft Guidance Is a Game-ChangerAxel Wirth and Vidya Murthy of MedCrypt on Evolving Medical Device Cybersecurity
Recent draft guidance from the Food and Drug Administration represents a game-changer in how the makers of medical devices should approach the cybersecurity of their products, say Axel Wirth and Vidya Murthy of medical device security firm MedCrypt.
The draft guidance for premarket medical device cybersecurity reflects "evolved thinking" by the FDA regarding what cybersecurity means for medical devices, says Wirth, MedCrypt chief security strategist (see: FDA Document Details Cyber Expectations for Device Makers). The agency is accepting public comment through July 7.
"Cybersecurity really has become an essential part of the entire device development cycle, from concept, production, delivery and maintenance. Security is not a single event," he says in an interview with Information Security Media Group.
Among the most significant developments is a proposal that manufacturers adopt a security product development framework that pushes them to embed cybersecurity throughout a device's entire life cycle, says Murthy, MedCrypt chief operating officer, in the joint interview. The FDA didn't propose the framework in an earlier draft of the guidance released in 2018.
"Devices have a very particular development methodology and so the reference to the [product development framework] means no more bolted-on security, but rather it's security within this existing development methodology," Murthy says.
In the interview (see audio link below photos), Wirth and Murthy also discuss:
- Other significant developments involving medical device cybersecurity;
- Critical medical device security controls and best practices;
- Worrisome cyberthreats and related security concerns involving medical devices.
Wirth has more than 30 years of industry experience, including extensive work with medical devices and health IT, and has held leadership roles at companies including Siemens, Analogic, Mitra, Agfa, and Symantec. Wirth is also an adjunct professor of medical device cybersecurity at the University of Connecticut.
Murthy began her career in consulting. Prior to joining MedCrypt, she held cybersecurity risk management leadership positions at medical device maker Becton Dickinson.