FDA offers insight on postmarket medical device cybersecurity management

by Christina Hwang, Contributing Reporter | January 16, 2017

Business Affairs Health IT Medical Devices

The common vulnerability scoring system (CVSS) is broken down into three main parts: base scoring (risk factors of the vulnerability), temporal scoring (risk factors that change over time), and modified base scoring (what the organization controls and can be assessed by the manufacturer).

“With respect to the x-axis, manufacturers should already have processed the severity of impact of the effect on the patient,” said Carmody. “The severity of patient harm increases from minor and temporary to requiring medical intervention, as well as death.”

Your Trusted Source for Sony Medical Displays, Printers & More!

Ampronix, a Top Master Distributor for Sony Medical, provides Sales, Service & Exchanges for Sony Surgical Displays, Printers, & More. Rely on Us for Expert Support Tailored to Your Needs. Email info@ampronix.com or Call 949-273-8000 for Premier Pricing.

For a controlled risk, Carmody gave an example of a researcher who publicly disclosed a code for a four year old vulnerability though which an unauthorized user can view a patient’s health information in a database but can’t edit or manipulate the information. The manufacturer determines that this is a controlled risk and notifies its customers of the problem, then documents the effectiveness of the cybersecurity update.

A situation is uncontrolled when, in the postmarket stage, the manufacturer discovers a vulnerability that has yet to be exploited. However, the vulnerability introduced a “failure mode” that can change the way the device functions. Even though no one has yet been harmed, the device does not reduce the risk of patient harm to an acceptable level and is therefore uncontrolled.

If there is an uncontrolled risk factor, within 30 days, the manufacturer has to notify the stakeholders and tell them to disconnect the device from the hospital’s network. Within 60 days, the manufacturer has to distribute a patch to mitigate the problem.

In order to become a member of an Information Sharing and Analysis Organization (ISAO), a manufacturer has to share any vulnerabilities and threats that could impact medical devices, including any customer concerns regarding cybersecurity vulnerabilities.

The manufacturer also has to document the steps it took to assess and respond to the vulnerability. If the manufacturer is part of an ISAO, it can minimize exploits by having risk control measures in place, which can include communicating with patients and users.

Back to HCB News



You Must Be Logged In To Post A Comment Sign In If you've already created an account, use your email address and password to sign in using the form below. Login Problems: Click here if you are having login issues. Email address: Password: Forgot your password? Login Problems? View our Legal Notice and Privacy Notice Register Registration is Free and Easy. Enjoy the benefits of The World's Leading New & Used Medical Equipment Marketplace. Register Now!