As part of National Cybersecurity Awareness Month, the U.S. Food and Drug Administration (FDA) took some time to reflect on the advances its medical device cybersecurity program has made during the year:

While COVID-19 has presented many challenges, we have already learned much through our response efforts, to include addressing medical device issues related to physical and cybersecurity supply chains, telemedicine, and the shift to remote workforces, among other issues.

Cyber safety is a shared responsibility. We encourage everyone to consider the importance of cybersecurity and remain aware throughout the year when it comes to the technology we rely on every day—including the security of medical devices.

In 2020, the FDA continued to ensure medical device cybersecurity safety and awareness by:

  • Informing patients, health care providers and manufacturers of cybersecurity vulnerabilities, which may introduce risks for certain medical devices, and providing recommendations in safety communications;
  • Participating in the National Telecommunications and Information Administration’s Software Transparency Initiative as a part of the healthcare Proof of Concept (PoC). The healthcare PoC is a collaborative effort between healthcare delivery organizations, medical device manufacturers, and other public health stakeholders to establish a prototype Software Bill of Materials (SBOM) format and exercise use cases for SBOM production and consumption;
  • Serving as a co-chair for the International Medical Device Regulators Forum Cybersecurity Working Group tasked with drafting a global medical device cybersecurity guide. The purpose of the guide is to promote a globally harmonized approach to medical device cybersecurity that at a fundamental level ensures the safety and performance of medical devices while encouraging innovation. The guide was finalized in March 2020.
  • Serving as co-chair for two Healthcare Sector Coordinating Council (HSCC) Task Groups: the Legacy Device Task Group, focused on how to address issues of old, outdated technologies in healthcare environments; and the Vulnerability Communications Task Group, focused on developing updated strategies for communicating cybersecurity vulnerability information to healthcare stakeholders.
  • Funding a series of threat modeling bootcamps, developed and hosted by MDIC and MITRE in partnership, to highlight the importance of threat modeling during the development, deployment, and maintenance of connected medical devices, and to provide training to industry representatives on threat modeling best practices and strategies.

The FDA takes medical device cybersecurity seriously. We are committed to mitigating the risks that cybersecurity vulnerabilities can pose to patient safety and public health, without decreasing the benefits of interconnected medical devices. As technology continues to connect, transform, and evolve, cybersecurity threats are never far behind. For this reason, it is vital that medical device cyber safety is considered a shared responsibility for all stakeholders, including medical device manufacturers, government agencies, health care organizations, health care professionals, cybersecurity researchers, and medical device users throughout the U.S. and abroad.

We remind everyone to remain aware and committed to using cybersecurity best practices and good cyber hygiene. Although we continuously face new challenges in medical device cybersecurity, we must remain committed to working together to protect public health.

For more information, visit the FDA