MedCity Influencers, Sponsored Post

FDA needs to develop a better road map to help manufacturers make connected medical devices safer, more secure

To get better-connected – and more secure – medical devices, the government needs to build a better checklist.

This post is sponsored by Vree Health.

To get better-connected – and more secure – medical devices, the government needs to build a better checklist.

The latest U.S. Food and Drug Administration (FDA) recommendations on cybersecurity and medical devices don’t contain much new information, said Paige Joyner, compliance officer for Vree Health. And that’s a problem in such a rapidly changing industry.

Device makers and healthcare providers need more detailed guidance on how to tackle the difficult challenges in making “connected” devices safe from hacker attacks, data breaches and other problems, she said.

The FDA’s recently finalized recommendations titled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” advise manufacturers to consider cybersecurity risks as part of the design and development of a medical device.

The agency recommended device makers submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. The FDA also recommends that manufacturers submit their plans for providing patches and updates to make operating systems and medical software less vulnerable to security breaches and hacker attacks.

Joyner said the new regulations are just “a rewording” of other published security recommendations with best practices, such as the HIPAA Security Rules which were released in May 2005 and “revamped” under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 as well as the NIST Cybersecurity Guidelines which were recently published.

Device makers and app developers need more specific guidelines on what they need to do to help ensure device and data security. The security regulations for medical devices “are not very descriptive,” Joyner said. “If you are building an app for a healthcare device, the regulations don’t give you a checklist of things to do.

“They’re telling people, ‘Do this,’ but they are not telling people how. One of the problems we’ve got is that once they design regulations and then they pass through all of the hoops they’ve got to go through, technology has surpassed it by five years. So they try to leave it non-technology-specific, but it’s kind of backfired, because of the growth of all these devices and the explosion of the data flows.”

Joyner also cited another challenge: a “disconnect between healthcare people and healthcare data people.”

“Application builders are really good at being creative and getting software to do things and share information. But, for some reason, they don’t always understand that it is not just data we’re dealing with – it’s healthcare data, which has a higher level of privacy and security that has to be maintained.” Regulators “need to get everybody on the same page,” she said.

“Part of the problem with the HIPAA regulations is that they were written back in the mid ’90s and implemented in 2005 on the security side. So, they were written almost 10 years before they were implemented,” Joyner said.

High-tech omnibus regulations that went into effect in 2013 included “an attempt to reiterate some of the earlier regulations and add a little more structure and specificity. That helped a little bit, but not enough to give (developers) a diagram of how to build apps,” Joyner said.

But she said the challenges in making devices and confidential data secure and safe can be overcome.

“It’s like any new industry. The development of medical apps and connected devices is in its infancy. It’s a process, and we’ll have to learn as we go. Unfortunately, that will involve a lot of trial-and-error,” she said.


Vree Health

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Shares0
Shares0