Cybersecurity is one of the most delicate and discussed issues in the medical sector today. The text you are about to read is the continuation of the article we began last week regarding the increasingly evident problem of the security of medical devices connected to internet. In today’s article you will continue to read the answers, suggestions and opinions of Jodi Scott, spokesperson for the FDA, thanks to the translation of her interesting interview taken from the lexology.com website.
Ms. Scott, if a patient possesses a medical device that has not been updated and/or equipped with the most recent software, what problems are they up against? Those of you in the FDA, how do you handle these situations?
“The patient could be heading for sensitive data theft, for example. My team and I suggested setting up a customer communication service, where customers can speak to us about their problems on this issue; for sure in the future we will be issuing software patches to give online assistance, too…afterwards, we will carry out recalls to see if the problem areas have returned to normal or if our assistance is still necessary. This way, we try to address the risks, as well as take care of our customers and their needs.”
Let’s say a patient has a medical device and they discover it has been hacked. What do you recommend they do immediately?
“First of all, I would recommend a health hazard assessment. It’s basically an evaluation of the risks regarding the patient’s conditions. These tests take various aspects into consideration; my team and I personally consider the risk from a technical perspective, meaning: what does this violation of privacy mean? What can third parties do with your sensitive data? And if they can do something, what are the consequences for the patient?
Sometimes the answer is: they can’t do anything. This is the time to strengthen security on the hacked account and then continue using the medical device (after having carefully checked data and ensuring it is exact). But if the data is breached in order to be used, then the problem absolutely exists and our agency, the FDA, intervenes: we are very busy solving this type of problem. It has become our top priority.
In addition to the above methods of clinical risk which obviously require the intervention of competent professionals, what can a person do who is “uninformed” on the subject and believes they have been “breached”?
“The key word is ‘notify’. When dealing with cybersecurity, very often it’s difficult to solve the software problem immediately (it involves a lot of work and you can’t just snap your fingers and fix everything). In this situation, the customer has the opportunity to notify the authorities or the medical device’s manufacturer of any problems or irregularities. This can lead to a resolution of the problem. In fact, the FDA’s mantra is: notify early, notify often’.
Sometimes the problem is easily solved: in that case, the medical device’s parent company can guide you to an autonomous solution for the problem. Otherwise, the issues can be more serious and need to be resolved through our agency.
The FDA is delving intensely into cybersecurity; but just consider the hundreds of thousands of devices that are already in customers’ hands and out of our sphere of control and exposed to all kinds of risks. The work required to re-establish the functionality and security of a patient’s sensitive data takes hours and hours of work, a customised strategy studied down to the finest details, and then it must be applied. Technology is evolving daily and it is critical to continue developing research also for that which regards the medical industry and healthcare equipment. They should start now: the FDA has announced its total collaboration.”
What’s your take on the situation? Have your say by contacting Dispotech, your disposable excellence.