The FDA’s Role in Domestic and International Medical Device Cybersecurity

2019-05-21 - 4 minutes read

According to the U.S. Food and Drug Administration (FDA), a growing number of medical devices are connected to the Internet, hospital networks, and other medical devices. This connectivity can provide better healthcare to patients, but it also opens the door for cybersecurity threats. For example, in October 2018, the FDA itself issued a warning about implantable cardiac devices with cybersecurity concerns. Avoiding the cybersecurity risks associated with medical devices is a serious, immediate issue, especially since these risks can be potentially life threatening.

A pacemaker. Implanted medical devices (like pacemakers) that use information and communication technology (ICT) can face cybersecurity concerns. Image by Rede Galega de Biomateriais and licensed under CC BY-NC 2.0.

Recent research published in the Georgetown Journal of International Affairs looks into the FDA’s role in ensuring cybersecurity in the global medical device market. The article – written by MIT researchers Dr. Keman Huang, Sophie Herscovici, and Professor Stuart Madnick and partially supported by IPRI – states that the “U.S. Food and Drug Administration (FDA) should increase its leadership role in managing emerging cybersecurity risks within the global medical device supply chain.”

The FDA’s Current Role in Medical Device Cybersecurity

In their article, the MIT team states that the FDA is aware and addressing the vulnerabilities currently faced by medical devices. In doing so, the FDA is not functioning alone; national medical device cybersecurity is handled by a variety of governmental and private organizations, including the FDA, NPPD, NCCIC, as well as healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs).

In regards to the international supply chain, the FDA is already collaborating with MDMs about cybersecurity, which could help determine cybersecurity best practices for the global supply chain of medical devices. The FDA is also a leading member of the International Medical Device Regulators Forum (IMDRF).

How the FDA Can Enhance Its Medical Device Cybersecurity Role

The researchers state that the FDA’s domestic and international medical device cybersecurity endeavors could be leveraged into a leadership position for advocating for a more secure global medical device supply chain. They emphasize that “it is of strategic interest for the FDA to reduce the systemic cybersecurity risks to the global medical device supply chain as a whole. This is because medical devices are not just designed and manufactured within the United States, but rather are part of a larger global supply chain.”

Realizing this goal, however, will require new, active approaches. These include that the FDA could:

  • Start a cybersecurity sanction mechanism that punishes MDM’s participating in risky cyber practices used within medical device supply chains
  • Create a backlist of high-risk MDMs and medical devices and have devices list previous cybersecurity incidents
  • Develop trade policies and procedures regarding medical device cybersecurity risk by working with international trade agencies

Read more of the team’s recommendations in the full article: