The Institute for Critical Infrastructure Technology (ICIT) this week released a critical analysis of the U.S. Food and Drug Administration’s (FDA) guidance on medical device cybersecurity and argues that “subtle suggestions” are not enough.
ICIT is a non-partisan organization that acts as a conduit between the private sector, federal agencies and legislative community with the goal of supporting and protecting the country’s technology infrastructures. The report, “Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle ‘Suggestions’ May Not Be Enough,” criticizes the agency for falling short on implementing enforceable regulations over medical device manufacturers.
“In practically all matters of cybersecurity within the health sector, the FDA seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed,” wrote the authors of the report, James Scott, senior fellow at the ICIT, and Drew Spaniel, visiting scholar, Carnegie Mellon University. “The argument against enforcing cybersecurity standards typically centers on the idea that a regulatory presence stifles innovation. Due to the industry’s continuous lack of cybersecurity hygiene, malicious EHR exfiltration and exploiting vulnerabilities in healthcare’s IoT attack surface continue to be a profitable priority target for hackers.”
The authors point out that the latest action by the FDA underscores its position that medical device cybersecurity is a priority for the health sector. “However, despite the implied sense of urgency, the FDA has chosen not to implement enforceable regulations over medical device manufacturers,” they wrote.
As previously reported by Healthcare Informatics, in January the FDA issued the “Draft Guidance for Industry and Food and Drug Administration Staff,” advising medical device manufacturers to address cybersecurity “throughout a product’s lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.” The guidelines offer a voluntary framework that organizations can build upon to ensure that their cybersecurity policies, procedures, and strategies proactively address cybersecurity risks in medical devices.
According to the ICIT report, the recommendations build upon NIST’s 2014 “Framework for Improving Critical Infrastructure Cybersecurity,” which in turn was published in response to an executive order from President Obama advocating the development of a standardized cybersecurity framework that identifies, detects, protects against, responds, and recovers from cybersecurity risk.
In the report, Scott and Spaniel argue that manufacturers can choose not to follow the guidelines issued by the FDA, but “this freedom,” they wrote, “should not result in the failure to secure medical devices from cyber threats due to knowledgeable disregard, inefficient budget allocation, or lack of trained cybersecurity personnel.” They continued, “Patients who rely on medical devices should not suffer due to the failure of device manufacturers with lackadaisical cybersecurity standards.”
Scott and Spaniel also emphasize that the healthcare sector is at elevated risk to targeted attacks “because lack of regulatory device security and the expansive victim pool makes hospitals and healthcare providers tantalizing targets.” “Healthcare networks tend to be less secure than comparable networks in other critical infrastructure sectors because cybersecurity only recently became a priority. Further, patient data is more valuable than other target data because its invariant nature means that victims can be exploited for a significant amount of time,” they wrote.
The ICIT report also offers a number of recommendations for the healthcare community, such as cybersecurity mitigation strategies and the need to characterize and assess detected vulnerabilities in order to triage remediation activities in the organization and in the healthcare community.
Scott and Spaniel assert that the medical device community is compliance-oriented and that, currently, healthcare device manufacturers and healthcare providers have the ability to ignore the FDA’s recommendations. “However, it is in the best interest of each organization and the community at large if the target audience pays attention to the FDA’s underlying message to adopt a comprehensive risk-based cybersecurity program,” they wrote.
“Interested stakeholders have 90 days from the January release of the guidelines to submit comments and suggestions to the FDA about the guidelines. It may be beneficial to healthcare providers, healthcare payers, and legislators to petition the FDA to make the guidelines regulatory. Otherwise, medical device manufacturers could ignore the guidelines altogether,” Scott and Spaniel wrote.
The authors also note that adopting the guidelines can provide device manufacturers with long-term competitive advantage over their competitors. “The medical device market is flush with similar products from numerous manufacturers. No rational buyer would purchase an untrusted device when a comparable product comes with assurance of greater device integrity. Compliance with the FDA guidelines provides a demonstrative differentiating factor that compliant device manufacturers can market to healthcare providers and end users,” Scott and Spaniel wrote.
And the authors conclude, “The cyber threat is real and bad actors are continuously evolving in both stealth and sophistication. Regardless of how medical device manufacturers and healthcare providers receive the guidelines, the FDA has clearly indicated that medical device cyber security is a priority. The healthcare community should note the gesture and take the initiative to assess their own networks and improve their cybersecurity.”
The deadline for comments on the FDA guidelines is April 21.