FDA Written Response to ABC7 Questions, After Declining On-Camera Interview

In managing cybersecurity threats, the FDA has consistently required manufacturers to stay vigilant and
correct vulnerabilities with their products in a proactive manner. The FDA plays an important role in
assuring safety of medical devices, and our regulatory abilities allow for us to take appropriate actions to
protect public health, which we have consistently done.

Because of the FDAs coordinated efforts among device manufacturers, other government agencies,
health care delivery organizations and security researchers, these groups together have detected and
fixed many vulnerabilities before they could seriously impact public health. This proactive multistakeholder engagement is the cornerstone of our approach to addressing cybersecurity in medical
devices. Through this approach we have seen significant change and progress in the management of
medical device cybersecurity. There is still work to be done and we are committed to working
collaboratively to address our shared goal of protecting the public health.

1. Is the FDA concerned about the lack of cyber security on medical devices?
Of course the FDA is concerned about the cybersecurity of medical devicescybersecurity threats are
constantly evolving, and, as medical devices become more and more interconnected through wired
and/or wireless connections, they become more vulnerable. We take cybersecurity issues associated
with medical devices seriously and have worked hard to mitigate the risk cybersecurity vulnerabilities
can pose to patient safety and the public health.

Because of the FDAs coordinated efforts among device manufacturers, other government agencies,
health care delivery organizations and security researchers, including experts such as Billy Rios, these
groups together have detected and fixed many vulnerabilities before they could seriously impact public
health.

Addressing cybersecurity and public health takes input and effort from many stakeholdersthe FDA
cannot do this alone. This proactive multi-stakeholder engagement (mentioned above) is the
cornerstone of our approach to addressing cybersecurity in medical devices. Through this approach we
have seen significant change and progress in the management of medical device cybersecurity. There is
still work to be done and we are committed to working collaboratively to address our shared goal of
protecting the public health.

2. What authority does the FDA have to require manufacturers have cyber security on the medical
devices they produce?
The FDA plays an important role in assuring safety of medical devices, and our regulatory abilities allow
for us to take appropriate actions to protect public health. As part of this role, the FDA frequently
communicates with users on safety issues related to medical devices.
Current regulations allow the FDA to take action against products that impact or potentially impact the
health and safety of patients, when they do not function as originally intended.

The FDAs regulations require manufacturers to perform risk assessments and hazard analyses of their
devices(s) and to correct or remove products that have the potential to or have caused serious adverse
events to patients. Complementary to these post-market regulatory requirements, the FDAs premarket
requirements require manufacturers to design products that adequately assess and manage patient
risks, including those related to cybersecurity.

In managing cybersecurity threats, the FDA has consistently required manufacturers to stay vigilant and
correct vulnerabilities with their products in a proactive manner.

3. If the FDA cannot force manufacturers to include cybersecurity on their devices, who can?
To the contrary, the FDA has the authority to regulate medical devices for safety and effectiveness,
which includes cybersecurity concerns. For example, with respect to premarket review of medical
devices, if cybersecurity controls are found to be inadequate, the agency can and has requested design
changes from manufacturers and has delayed the clearance of devices until these controls are
considered acceptable. As noted above, the FDAs premarket and postmarket requirements address
cybersecurity of medical devices as is aligned with the agencys quality system regulation requirements.

4. Has the FDA used its influence to try to change manufacturing standards in the medical device
industry? And if so, how?
The FDA has regularly been using its influence and authority to engage with manufacturers and other
stakeholders to promote cyber hygiene and cybersecurity best practices. Weve convened workshops,
issued safety communications, posted guidance documents and have engaged broadly with the entire
health care community.

Regarding industry standards, FDA cybersecurity experts are active participants in many independent
standards organizations (ISOs) working to develop common cybersecurity standards. Upon review of
standards developed by ISOs, the FDA determines whether the standard should be recognized by the
agency, and if so, we post the recognized standard publicly so that manufacturers may choose to adopt
it as part of their management of medical device cybersecurity.

5. Some top medical device researchers say the FDA is not doing enough. They say the agency relies on
private researchers to provide them with data, rather than the FDA examining these devices, in its own
labs, for cybersecurity and then presenting original research/reports. How do you respond to that? Do
you foresee a time where the FDA will be doing comprehensive cybersecurity testing on medical
devices?
The independent researcher community is an integral driver of the ecosystem in advancing
cybersecurity of medical devices. Their technical expertise can and has been leveraged to identify and fix
cybersecurity issues with medical devices. The FDA, along with its own researchers and subject matter
experts, looks forward to continuing its important work with them as cybersecurity issues change and
evolve.

As noted above, the management of cybersecurity in medical devices takes a concerted effort from all
stakeholders involved to address issues from their respective places of expertise and authority. For
example, manufacturers of devices that undergo FDA review are required to demonstrate to the FDA
that they have tested and designed their devices to address cybersecurity concerns. This is consistent
with how the FDA reviews all medical products. The FDA does not perform its own independent
premarket testing of medical productswhether its cybersecurity or other quality issues, such as
sterility or toxicity. The agency relies upon the submission of the necessary testing and performance
data and other information provided by manufacturers for any medical product requiring premarket
review.

6. Americans assume that devices approved by the FDA are safe. A device that can be easily hacked and
made lethal is not safe. Does the FDA need to expand the scope of its work to maintain consumer
confidence?
The FDA has indeed expanded the scope of its work in cybersecurity over the past several years. We
have worked diligently to bring the health care community together to propose and implement shared
solutions to addressing cybersecurity concerns. We can and have delayed medical devices from coming
to market until cybersecurity controls were considered adequate and residual risks were considered
acceptable. We have proposed new guidelines that outline how manufacturers should be identifying,
addressing and mitigating cybersecurity vulnerabilities once their devices are in use. And we have the

authority to take action when quality systems regulations are violated. As a result, we are starting to
see a shift in mindset among all stakeholdersmanufacturers are realizing the importance of
implementing comprehensive cybersecurity controls throughout a products lifespan, hospitals are
taking steps to secure their networks, healthcare professionals are becoming more aware of
cybersecurity concerns and independent security researchers are performing valuable research to
identify cybersecurity vulnerabilities before they have the potential to harm patients.

Its important to note that no medical device is without risk. This further underscores the need for
vigilance and monitoring of emerging threats and vulnerabilities so that concerns can be addressed in a
timely manner. This proactive approach helps ensure that medical devices in use today provide benefits
to patient health that outweigh potential cybersecurity risks.

7. Have there been any deaths and or any adverse patient issues related to hacked medical devices?
While the FDA is not aware of any medical devices that have been purposely targeted or caused patient
harm or death due to cybersecurity vulnerabilities, the reality is that bad actors intentionally look for
ways to overcome cybersecurity safeguards, so we always work to stay one step ahead and to take
aggressive steps to stop this criminal behavior.

8. Who is ultimately responsible for the safety of medical devices? Does the FDA accept any level of
responsibility, should one of these devices - with known cyber security vulnerabilities - cause harm or
death to a patient because of a hack?
Medical device cybersafety is a shared responsibility and requires diligence from all stakeholders,
including manufacturers, government agencies, health care delivery organizations and health care
professionals. Cybersecurity is a primary concern for the FDA and we are keenly aware of the role
cybersecurity plays in the agencys mission to protect the public health.

The fact is, connected medical devices are vulnerable to cybersecurity attacks. That is why the FDA has
taken a comprehensive effort to address and mitigate cybersecurity vulnerabilities throughout a devices
entire lifespan from design to clinical use to obsolescence. The entire health care community should
be participants in bringing about the change that is needed from their respective places of influence and
abilities. The FDA strongly believes the best way to protect patients from cyber threats is to work
together to address medical device vulnerabilities using a total product lifecycle approach.