- Federal officials have released final guidance on protecting mHealth devices from hackers, and is calling on the mHealth community to build cybersecurity into their mobile health products.
The 30-page document, issued on December 28 by the U.S. Food and Drug Administration, builds on a list of recommendations issued in 2014 for device makers to include security in their design and development processes. The latest document targets mHealth devices that are already out in the marketplace.
“In today’s world of medical devices that are connected to a hospital’s network or even a patient’s own Internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality,” Suzanne B. Schwartz, MD, MBA, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, said in a blog post.
“The best way to combat these threats is for manufacturers to consider cybersecurity throughout the total product lifecycle of a device,” she wrote. “In other words, manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.”
The FDA’s latest document calls on mHealth companies to, among other things:
- Actively monitor and detect cybersecurity vulnerabilities in their devices;
- Understand, assess and detect the level of risk a vulnerability poses to patient safety;
- Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”); and
- Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm.
Schwartz also called on the mHealth industry to consider applying the National Institute of Standards and Technology’s (NIST) core principles for improving critical infrastructure cybersecurity: to identify, protect, detect, respond and recover.
“It is only through application of these guiding principles, executed alongside best practices such as coordinated vulnerability disclosure, that will allow us all to navigate this uncharted territory of evolving risks to device security,” she said.
mHealth advocates were quick to point out the FDA’s final guidance isn’t binding, so there are no requirements for developers to follow these guidelines and no penalties if they don’t. In her blog, Schwartz pointed out that the FDA would continue to work with the mHealth industry “to collaborate to simultaneously address innovation and cybersecurity.”
The healthcare industry has long thought about the potential for mHealth devices, from implantable pacemakers, insulin pumps and defibrillators to wireless monitors and EMR platforms, to be hacked, possibly with fatal consequences. Just this year, Johnson & Johnson became the first mHealth device maker to publicly warn users that one of its devices – the Animas OneTouch Ping insulin pump – could be remotely altered to affect insulin dosages.
The FDA itself has been sounding the alarm since 2013, when an FDA official told the Wall Street Journal that the agency was “aware that hundreds of medical devices that have been infected by malware" through out-of-date software, weak Internet portals and ineffective security protocols. In 2015, the agency called out Hospira, warning health systems that the company’s infusion pump could be hacked and controlled remotely.
“Today’s postmarket guidance recognizes today’s reality – cybersecurity threats are real, ever-present, and continuously changing,” Schwartz wrote in her blog. “In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety. And as hackers become more sophisticated, these cybersecurity risks will evolve.”