Sterling has successfully guided over 400 client medical device projects through the FDA approval process. Our experienced and innovative team of medical device engineers is here to help you design, test, validate, and advise on medical devices, and navigate the FDA submission process with our clients. Sterling Medical Devices possesses technical expertise in the rapidly developing intersection of mobile devices (smartphones and tablets) and portable medical devices. We have experience with ever-evolving FDA, EU, and other government regulations, as well as 510(k) and Pre-Market Approval processes for all classifications of medical devices. Sterling utilizes an “up-front” approach with clients so that they fully comprehend the logistics of bringing a medical device to market, the costs involved, realistic time frames, and how to efficiently navigate the process. Our teams utilize agile project management to aid clients in focusing on the top priority as their device moves forward in the approval process, eliminate extraneous device elements that could threaten medical device cybersecurity, create vulnerabilities, and other risks. The FDA’s focus on ensuring the safety of medical devices and Sterling’s focus on designing the best-possible and most-compliant medical devices both aim to improve the health of patients.
The Importance of Cybersecurity for Medical Devices
As technology becomes increasingly mobile and our devices more connected than ever, the risk of network breaches increases as well. In the case of networked medical devices, the impact may be life threatening without stringent cybersecurity measures. Because medical devices are part of this transformation into a more-connected world, the FDA has taken a strong interest in guiding manufacturers in a proactive manner for the safety of medical devices.
What makes medical device cybersecurity particularly vexing is the pace of technological change. IOS and Android based operating system devices were all introduced in the first decade of the 21st century. In between product launches and updates, operating systems are updated; sometimes very significantly, potentially impacting the medical device security between connected devices. The FDA has recognized the cybersecurity risk to medical devices and, in response, has issued guidance for manufacturers. First proposed in June 2013, the FDA guidelines were finalized in October 2014.
The FDA’s Medical Device Cybersecurity Concerns
The FDA realizes that with the continuous technological advancements occurring in the modern context, there comes an increased risk that medical devices connected via wireless, Internet, “the cloud”, or any other networked means will not always work as they are intended to. The FDA also has concerns about response times to threats pertaining to cybersecurity vulnerabilities. The FDA itself sees the medical device cybersecurity threats as continuously evolving. By their nature, each medical device’s cybersecurity risk may take on its own unique form from a single disruption, so it is unlikely that the FDA could devise a successful “one-size-fits-all” approach to all possible resulting threats anytime soon. The focus on building in cybersecurity safeguards during the design stages of medical device development helps ensure that new products and devices released will have benefits that outweigh perceived and real risks.
The FDA sees the mitigation of cybersecurity threats as a shared responsibility of healthcare facilities, patients, providers, and device manufacturers. For medical device manufacturers, the FDA directs them to “develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety” (from Content of Premarket Submissions for Management of Cybersecurity in Medical Devices). To the extent medical device cybersecurity risks are mitigated, there will be less threat of patient illness, injury, or death.
FDA Direction to Medical Device Manufacturers
The FDA wants medical device developers to be diligent when conceptualizing and producing medical devices that will inevitably have cybersecurity risks during its final development stages. Preventative measures that can be taken by manufacturers include establishing a cybersecurity vulnerability and management approach that identifies assets, threats, and examines corner cases. Assessing the impact on the device’s functionality, impact to the patients, likelihood of the threat, and the device’s vulnerability for being breached are all actions that the FDA expects manufacturers to execute before product launch. Lastly, the FDA believes that it would be beneficial for manufacturers to determine the risk levels and understand different mitigation strategies for medical device cybersecurity risks as it would increase safety, functionality, and develop trust between all parties involved.
Want to learn more about how your device can be at risk? Read our article, Is Your Medical Device an Entry Point for a Cyber Attack?