There are almost daily news stories on the subject of cyber-security, from passengers taking control of commercial airliners from their seats to criminals stealing private information. The risk of adverse events caused by security breaches in medical equipment has been discussed widely, though no specific instance of a security related harm has been recorded.
This may explain why the industry’s response to the perceived threat has been inconsistent and muted. Whether the risk is overstated, under-reported or a disaster waiting to happen, patients have every right to expect that the medical equipment their wellbeing depends upon will be safe and effective. If there are software security holes, then that guarantee cannot be made with the confidence the public deserves.
Although the scenarios seen in TV dramas with terrorists hacking into a pacemaker may seem far-fetched, the reality is that hackers will search networks, often using automated tools, looking for exposed devices. This might mean that the safety and effectiveness of a medical device could be compromised unintentionally. This is compounded by the presence of malware which is permeating much of the connected world today and which could impair the correct operation of medical device software and the integrity of data.
The US FDA has issued guidance on what it expects medical device manufacturers to do and squarely places responsibility for cyber-security on the manufacturer: “The need to be vigilant and responsive to cybersecurity vulnerabilities is part of your obligation under 21 CFR 820.100 to systematically analyze sources of information and implement actions needed to correct and prevent problems”.
In the EU, the Medical Devices Directive mandates that “All risks have to be reduced as far as possible” and this includes cyber-security. It is important to note that “as far as possible” does not mean zero but infers that risk control measures be consistent with the “generally recognised state-of-the-art”.
There are some who believe that this issue will only be taken seriously enough by the industry when a cyber-security breach leads to patient harm, however, it may well be the case that the rejection of 510(k) or CE Mark submissions on the grounds of lack of security measures will provide the necessary motivation before any harm occurs.
To address the need for better understanding of cyber security issues in medical devices, we will be hosting a masterclass at the IET Birmingham, UK on 17th September 2015. We hope you will be able to join us, but please note places are limited. Please follow the link below for more details.
This may explain why the industry’s response to the perceived threat has been inconsistent and muted. Whether the risk is overstated, under-reported or a disaster waiting to happen, patients have every right to expect that the medical equipment their wellbeing depends upon will be safe and effective. If there are software security holes, then that guarantee cannot be made with the confidence the public deserves.
Although the scenarios seen in TV dramas with terrorists hacking into a pacemaker may seem far-fetched, the reality is that hackers will search networks, often using automated tools, looking for exposed devices. This might mean that the safety and effectiveness of a medical device could be compromised unintentionally. This is compounded by the presence of malware which is permeating much of the connected world today and which could impair the correct operation of medical device software and the integrity of data.
The US FDA has issued guidance on what it expects medical device manufacturers to do and squarely places responsibility for cyber-security on the manufacturer: “The need to be vigilant and responsive to cybersecurity vulnerabilities is part of your obligation under 21 CFR 820.100 to systematically analyze sources of information and implement actions needed to correct and prevent problems”.
In the EU, the Medical Devices Directive mandates that “All risks have to be reduced as far as possible” and this includes cyber-security. It is important to note that “as far as possible” does not mean zero but infers that risk control measures be consistent with the “generally recognised state-of-the-art”.
There are some who believe that this issue will only be taken seriously enough by the industry when a cyber-security breach leads to patient harm, however, it may well be the case that the rejection of 510(k) or CE Mark submissions on the grounds of lack of security measures will provide the necessary motivation before any harm occurs.
To address the need for better understanding of cyber security issues in medical devices, we will be hosting a masterclass at the IET Birmingham, UK on 17th September 2015. We hope you will be able to join us, but please note places are limited. Please follow the link below for more details.
Post A Comment:
0 comments: