October 1, 2014

Well, Halloween is approaching boys and girls. And while it’s fun to don a Dracula (or Miley Cyrus) costume and get some yucks faux scaring folks, the FDA is acting as a responsible parent by setting up medical device cybersecurity risks educational seminar later this month in Arlington, VA. It appears to have filled up already, but a webcast recording will be made available.

Getting a tiny adrenaline rush when a nine-year-old Frankenstein jumps out at you in the dark is one thing; finding out some nineteen-year-old hacker has infiltrated your proprietary product and customer information isn’t the right kind of fright.

Seems like someone out there in the bureaucracy has a little sense of humor because October is National Cybersecurity Awareness Month. FDA, along with the Department of Health and Human Services and the Department of Homeland Security, hope to bring together a wide swath of stakeholders, including medical device makers, to their Oct. 20-21 “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.”

Participants will be encouraged to help regulators identify barriers to promoting medical device cybersecurity; discuss innovative strategies to address challenges that may jeopardize critical infrastructure; and enable the proactive development of analytical tools, processes, and best practices by the stakeholder community in order to strengthen medical device cybersecurity risks. It’s shaping up to be a good agenda, but it’ll probably only be as strong as the attendees who show up to share war stories and discuss best practices with regulators and others.

setting up a medical device cybersecurity educationBroadly speaking, the symposium hopes to help advance medical device cybersecurity by swapping information about the most current online threats, identifying gaps, advancing the usage of the feds’ “Framework for Improving Critical Infrastructure Cybersecurity”, and developing tools and standards to build robust, comprehensive protection programs, among other areas of focus.

One of the topics will be the FDA’s new guidance “Content of Premarket Submissions for Management of Cybersecurity risks in Medical Devices,” released Oct. 2. That guidance provides some helpful definitions (helpful in the sense that this is how the FDA views the world), and what kind of cybersecurity protection program the agency expects from medical device makers and their kin.

Some say the threat of medical device security hacks has been hyped up a bit. I’m no expert there. But a report issued earlier this year from a cyber expert at SANS Institute (sponsored by cybersecurity vendor Norse), says some 94% of medical institutions report being victims of some type of cyberattack. This isn’t a report specifically about medical device makers, and I’m certain the vast majority of the attacks were relatively small and easy to thwart. Regardless, those numbers deserve some attention.

Hyped or not, I don’t imagine you’ll see an attendee at FDA’s event, getting a jump on Halloween and showing up dressed as a sophisticated hacker, though. That’s just too scary.