In health care, cyber intrusions into medical devices could be life-threatening.
In the age of widespread cyber threats, the Food and Drug Administration needs to rethink the way it approaches medical device regulation, an official said Friday.
“Medical device vulnerabilities are always going to be there, or there are new ones that are always going to be emerging and evolving,” Suzanne Schwartz, associate director for science and strategic partnerships at FDA, said during an Atlantic Council event.
To counter threats, FDA has been making a deliberate effort to counsel outside groups it had not "previously engaged with," including security researchers, as it considers regulation of the internet of things. Cybersecurity should become a more standard part of FDA's medical device quality system regulation process, she said.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
This requires a "shift in mindset in how we think and how manufacturers really think about devices and where they reside today, whether it's in a brick and mortar facility, whether it's in an individual walking around, ambulatory, or whether it's at home," Schwartz said. Devices should be designed to cope with hostile environments and adversaries, she said, and it's "not with the intent of creating a lot of hysteria or alarm."
Her office is focused on collaborating with the private sector, encouraging tech companies to consider the total life cycle of a product and the new, unanticipated risks each item could pose to a patient, she said.
"There has to be a more holistic perspective," Schwartz added.
Despite new cyber risks, she said, “these devices serve often critical life-sustaining functions and benefitsn... we have to be able to look at the benefits versus the risks here."