In collaboration with the National Health Information Sharing Analysis Center (NH-ISAC) and the Department of Health and Human Services, FDA is planning to hold a public workshop entitled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.” This workshop will be held at FDA’s White Oak Campus in Silver Spring, Maryland, on January 20 – 21, 2016.
The purpose of the workshop is to “highlight past collaborative efforts; increase awareness of existing maturity models (i.e. frameworks leveraged for benchmarking an organization's processes) which are used to evaluate cybersecurity status, standards, and tools in development; and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.”
The workshop follows FDA publishing an alert regarding the cybersecurity of an approved medical device. The alert was published on July 31, 2015, and informed users of the Hospira Symbiq Infusion System (Version 3.13 and prior versions) of the device’s cybersecurity vulnerabilities. In the alert, FDA stated that the Agency strongly encourages “that health care facilities transition to alternative infusion systems, and discontinue use of these pumps.”
In addition, the Agency published a final guidance in October 2014 in which FDA recommended “that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks.”
As medical device cybersecurity continues to become a more imminent threat, it is comforting to see FDA taking a proactive approach.