Skip to content Skip to navigation

Medical Device Cybersecurity Needs Enforceable Regulations, Not Just Suggestions, ICIT Says

February 17, 2016
by Heather Landi
| Reprints
Click To View Gallery

The Institute for Critical Infrastructure Technology (ICIT) this week released a critical analysis of the U.S. Food and Drug Administration’s (FDA) guidance on medical device cybersecurity and argues that “subtle suggestions” are not enough.

ICIT is a non-partisan organization that acts as a conduit between the private sector, federal agencies and legislative community with the goal of supporting and protecting the country’s technology infrastructures. The report, “Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle ‘Suggestions’ May Not Be Enough,” criticizes the agency for falling short on implementing enforceable regulations over medical device manufacturers.

“In practically all matters of cybersecurity within the health sector, the FDA seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed,” wrote the authors of the report, James Scott, senior fellow at the ICIT, and Drew Spaniel, visiting scholar, Carnegie Mellon University. “The argument against enforcing cybersecurity standards typically centers on the idea that a regulatory presence stifles innovation. Due to the industry’s continuous lack of cybersecurity hygiene, malicious EHR exfiltration and exploiting vulnerabilities in healthcare’s IoT attack surface continue to be a profitable priority target for hackers.”

The authors point out that the latest action by the FDA underscores its position that medical device cybersecurity is a priority for the health sector.  “However, despite the implied sense of urgency, the FDA has chosen not to implement enforceable regulations over medical device manufacturers,” they wrote.

As previously reported by Healthcare Informatics, in January the FDA issued the “Draft Guidance for Industry and Food and Drug Administration Staff,” advising medical device manufacturers to address cybersecurity “throughout a product’s lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.” The guidelines offer a voluntary framework that organizations can build upon to ensure that their cybersecurity policies, procedures, and strategies proactively address cybersecurity risks in medical devices.

According to the ICIT report, the recommendations build upon NIST’s 2014 “Framework for Improving Critical Infrastructure Cybersecurity,” which in turn was published in response to an executive order from President Obama advocating the development of a standardized cybersecurity framework that identifies, detects, protects against, responds, and recovers from cybersecurity risk.

In the report, Scott and Spaniel argue that manufacturers can choose not to follow the guidelines issued by the FDA, but “this freedom,” they wrote, “should not result in the failure to secure medical devices from cyber threats due to knowledgeable disregard, inefficient budget allocation, or lack of trained cybersecurity personnel.” They continued, “Patients who rely on medical devices should not suffer due to the failure of device manufacturers with lackadaisical cybersecurity standards.”

Scott and Spaniel also emphasize that the healthcare sector is at elevated risk to targeted attacks “because lack of regulatory device security and the expansive victim pool makes hospitals and healthcare providers tantalizing targets.” “Healthcare networks tend to be less secure than comparable networks in other critical infrastructure sectors because cybersecurity only recently became a priority. Further, patient data is more valuable than other target data because its invariant nature means that victims can be exploited for a significant amount of time,” they wrote.

The ICIT report also offers a number of recommendations for the healthcare community, such as cybersecurity mitigation strategies and the need to characterize and assess detected vulnerabilities in order to triage remediation activities in the organization and in the healthcare community.

Scott and Spaniel assert that the medical device community is compliance-oriented and that, currently, healthcare device manufacturers and healthcare providers have the ability to ignore the FDA’s recommendations. “However, it is in the best interest of each organization and the community at large if the target audience pays attention to the FDA’s underlying message to adopt a comprehensive risk-based  cybersecurity program,” they wrote.

“Interested stakeholders have 90 days from the January release of the guidelines to submit comments and suggestions to the FDA about the guidelines. It may be beneficial to healthcare providers, healthcare payers, and legislators to petition the FDA to make the guidelines regulatory. Otherwise, medical device manufacturers could ignore the guidelines altogether,” Scott and Spaniel wrote.

The authors also note that adopting the guidelines can provide device manufacturers with long-term competitive advantage over their competitors. “The medical device market is flush with similar products from numerous manufacturers. No rational buyer would purchase an untrusted device when a comparable product comes with assurance of greater device integrity. Compliance with the FDA guidelines provides a demonstrative differentiating factor that compliant device manufacturers can market to healthcare providers and end users,” Scott and Spaniel wrote.

And the authors conclude, “The cyber threat is real and bad actors are continuously evolving in both stealth and sophistication. Regardless of how medical device manufacturers and healthcare providers receive the guidelines, the FDA has clearly indicated that medical device cyber security is a priority. The healthcare community should note the gesture and take the initiative to assess their own networks and improve their cybersecurity.”

The deadline for comments on the FDA guidelines is April 21.




ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.

New Use Cases Driving Growth in Health Data Exchange through Direct

In an update, DirectTrust reported significant growth in Direct exchange of health information and the number of trusted Direct addressed enabled to share personal health information (PHI) in the third quarter of 2016.

Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.