FDA Workshop Addresses Security of Medical Devices

By Kelly A. Briganti, Editorial Director, G2 Intelligence The U.S. Food and Drug Administration (FDA) is joining the cadre of government agencies calling attention to the cybersecurity risks of wireless, internet-and network-connected devices and electronic exchange of health information. It warns that risk extends to not just the device and the information it holds but to the health systems and networks to which the device might connect. Answering a presidential directive that the federal government work with private industry to address these risks, the FDA is holding a two-day workshop Jan. 20-21, 2016, titled "Moving Forward: Collaborative Approaches to Medical Device Cybersecurity." The workshop will address "the current state of medical device cybersecurity" and what can be done in the next year to improve security. One focus of the discussion will be implementation of a "voluntary, risk-based framework for achieving enhanced cybersecurity" developed by the National Institute of Standards and Technology (NIST) with public and private sector collaboration. The FDA explains the risks of compromised medical devices include "device malfunction, disruption of healthcare services including treatment interventions, inappropriate access to patient information, or compromised electronic health record data integrity" which "could have a profound impact on patient care and safety." Thus, the workshop will include discussions of awareness, "cyber hygiene," information sharing, identifying and managing medical device cyber vulnerabilities, and vulnerability disclosures. Laboratorians are directly affected by these cyber risks as diagnostic technology becomes more mobile and laboratories and their data become more connected. Interoperability is a high priority and the subject of a previous FDA workshop in September, focused on "semantic interoperability of laboratory data between in vitro diagnostic devices and database systems, including laboratory information systems and electronic health records." Recently, our sister publication Diagnostic Testing and Emerging Technologies highlighted the emergence of mobile diagnostic technology, which implicates these cyber issues. Multiple government agencies are focusing on and promoting awareness of cybersecurity threats. This month, National Intelligence Report discusses the Office of Inspector General's inclusion in its Workplan of cybersecurity risks relating to electronic health information and medical devices. G2 Compliance Advisor recently highlighted increased enforcement of privacy and security of health information by the Office for Civil Rights and noted the Federal Bureau of Investigation's recent warning about the risk of cyber attack for devices that connect to the internet and receive data. Registration to attend the FDA workshop is free, but attendees must register by Jan. 13, 2016. A streaming webcast will also be available. Written comments on the issues can be submitted through Feb. 22, 2016. For more information and to register, visit the FDA website.