In recent events, the Ascension health system endured a notable ransomware attack, bringing substantial disruption by shutting systems across several states. This induced operational hindrances like pharmacy closures and forced clinicians to revert to paper records. The incident underscored a growing concern: the increasing frequency of cyberattacks targeting healthcare facilities.
These cybersecurity challenges were a key topic at the Advamed Medtech Conference, where regulators including Suzanne Schwartz, Director at the FDA’s Office of Strategic Partnerships and Technology Innovation, discussed their increasing prevalence and the strategies to counteract them. The urgency of these discussions is amplified by the recent legislative actions by Congress and subsequent FDA guidelines established in 2023. These were aimed at increasing cybersecurity measures specifically for medical device manufacturers, ensuring that new devices entering the market adhere to stringent cybersecurity protocols.
However, despite these advancements, a significant challenge looms with legacy medical devices. These devices, characterized by their outdated or unsupported software, continue to pose a threat due to inherent security vulnerabilities. Schwartz highlighted the ongoing issue with submissions of new devices intended to operate on these unsupported systems, a practice now prohibited under the new regulations. Despite efforts to curb the usage of obsolete technologies in medical equipment, the industry still grapples with the reality of existing legacy devices.
The problem is exacerbated by the practice of “passing down” older equipment from larger to smaller hospitals, as described by Chris Reed, Medtronic’s Senior Director of Cybersecurity Policy. This not only perpetuates the use of vulnerable systems but also complicates the security landscape within smaller medical facilities that inherit these risks.
Addressing the issue of aging systems, Reed advised developers to proactively plan for their device’s lifecycle, emphasizing the need for a robust updating and patching strategy. He pointed out previous industry missteps, such as the use of consumer operating systems like Android, which may not align with the longevity needs of medical devices due to their rapid update cycles.
Furthering this strategy, Ashley Mancuso of Johnson & Johnson Medtech touched upon the success of their accelerated patching process. This process streamlines updates, ensuring they are implemented swiftly to maintain security integrity without affecting the device’s core functionality.
Amid these discussions, Schwartz acknowledged the broader challenge of aligning medical device software trajectories with that of rapidly evolving operating systems – a topic that extends beyond the FDA’s purview and requires a concerted effort from the entire regulatory ecosystem. Collaborative efforts with international bodies like the International Medical Device Regulators Forum and Health Canada were highlighted as key to addressing these systemic issues.
Overall, the ongoing dialogue at the Medtech Conference illustrates a healthcare industry amidst a critical transition. Stakeholders are increasingly acknowledging the necessity of integrated efforts across manufacturers, regulatory bodies, and healthcare providers to address cybersecurity threats effectively. The focus remains on not only ensuring compliance with new regulations but also addressing the substantial risks posed by legacy systems that permeate the current healthcare landscape. As these discussions continue, it becomes clear that tackling these challenges is a work in progress, reliant on ongoing cooperation and innovation within the medical technology sector.
#Legacy #medical #devices #regulators #night
