The COVID-19 pandemic has made the need for healthcare technology more important than ever, with many physicians now utilizing health information technology (health IT) to help with the treatment process. In addition, the use of telehealth apps soared 350% during the height of the pandemic.
Of course, the rise in technology comes with an increase in cybersecurity threats. And it’s not just apps and IT that are at risk. Data shows that medical devices connected to the internet, hospital networks, and other medical devices are also vulnerable to security breaches, which can impact the safety and effectiveness of the device.
“The inherent security risk with medical devices is that they can potentially expose both data and control of the device itself,” wrote Richard Piggin, Security Consultant at Atkins. “This raises a tension between safety and security, which requires greater stakeholder collaboration to address, particularly in design and regulatory approaches. These stakeholders now include regulators, device manufacturers, healthcare organizations, IT suppliers, and patients themselves.”
So far this year, the U.S. Food & Drug Administration (FDA), which is responsible for medical device oversight, has informed patients, health care providers, and manufacturers about the SweynTooth family of cybersecurity vulnerabilities, which may introduce risks for certain medical devices, as well as cybersecurity vulnerabilities in certain GE Healthcare Clinical Information Central Stations and Telemetry Servers. And risks are set to increase further with adoption of the Internet of Things (IoT) by healthcare organizations and consumers.
With that in mind, the FDA is now seeking feedback with the aim to develop a framework for an effective way to report cybersecurity vulnerabilities to patients, as well as ensure that they understand the risks and the steps needed to decrease the vulnerabilities from increased use of connected medical devices.
The FDA has proposed six core elements to consider for the framework: Interpretability; discussing risks and benefits; acknowledging and explaining the unknown; availability and findability of information; structure of the communication material; and outreach and distribution vehicles. The agency has created the paper—“Communicating Cybersecurity Vulnerabilities to Patients: Considerations for a Framework”—to gather early input from third parties and is accepting feedback until December 21.