Medical Device Cybersecurity Needs Enforceable Regulations, Not Just Suggestions, ICIT Says | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Medical Device Cybersecurity Needs Enforceable Regulations, Not Just Suggestions, ICIT Says

February 17, 2016
by Heather Landi
| Reprints
Click To View Gallery

The Institute for Critical Infrastructure Technology (ICIT) this week released a critical analysis of the U.S. Food and Drug Administration’s (FDA) guidance on medical device cybersecurity and argues that “subtle suggestions” are not enough.

ICIT is a non-partisan organization that acts as a conduit between the private sector, federal agencies and legislative community with the goal of supporting and protecting the country’s technology infrastructures. The report, “Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle ‘Suggestions’ May Not Be Enough,” criticizes the agency for falling short on implementing enforceable regulations over medical device manufacturers.

“In practically all matters of cybersecurity within the health sector, the FDA seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed,” wrote the authors of the report, James Scott, senior fellow at the ICIT, and Drew Spaniel, visiting scholar, Carnegie Mellon University. “The argument against enforcing cybersecurity standards typically centers on the idea that a regulatory presence stifles innovation. Due to the industry’s continuous lack of cybersecurity hygiene, malicious EHR exfiltration and exploiting vulnerabilities in healthcare’s IoT attack surface continue to be a profitable priority target for hackers.”

The authors point out that the latest action by the FDA underscores its position that medical device cybersecurity is a priority for the health sector.  “However, despite the implied sense of urgency, the FDA has chosen not to implement enforceable regulations over medical device manufacturers,” they wrote.

As previously reported by Healthcare Informatics, in January the FDA issued the “Draft Guidance for Industry and Food and Drug Administration Staff,” advising medical device manufacturers to address cybersecurity “throughout a product’s lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.” The guidelines offer a voluntary framework that organizations can build upon to ensure that their cybersecurity policies, procedures, and strategies proactively address cybersecurity risks in medical devices.

According to the ICIT report, the recommendations build upon NIST’s 2014 “Framework for Improving Critical Infrastructure Cybersecurity,” which in turn was published in response to an executive order from President Obama advocating the development of a standardized cybersecurity framework that identifies, detects, protects against, responds, and recovers from cybersecurity risk.

In the report, Scott and Spaniel argue that manufacturers can choose not to follow the guidelines issued by the FDA, but “this freedom,” they wrote, “should not result in the failure to secure medical devices from cyber threats due to knowledgeable disregard, inefficient budget allocation, or lack of trained cybersecurity personnel.” They continued, “Patients who rely on medical devices should not suffer due to the failure of device manufacturers with lackadaisical cybersecurity standards.”

Scott and Spaniel also emphasize that the healthcare sector is at elevated risk to targeted attacks “because lack of regulatory device security and the expansive victim pool makes hospitals and healthcare providers tantalizing targets.” “Healthcare networks tend to be less secure than comparable networks in other critical infrastructure sectors because cybersecurity only recently became a priority. Further, patient data is more valuable than other target data because its invariant nature means that victims can be exploited for a significant amount of time,” they wrote.

The ICIT report also offers a number of recommendations for the healthcare community, such as cybersecurity mitigation strategies and the need to characterize and assess detected vulnerabilities in order to triage remediation activities in the organization and in the healthcare community.

Scott and Spaniel assert that the medical device community is compliance-oriented and that, currently, healthcare device manufacturers and healthcare providers have the ability to ignore the FDA’s recommendations. “However, it is in the best interest of each organization and the community at large if the target audience pays attention to the FDA’s underlying message to adopt a comprehensive risk-based  cybersecurity program,” they wrote.

“Interested stakeholders have 90 days from the January release of the guidelines to submit comments and suggestions to the FDA about the guidelines. It may be beneficial to healthcare providers, healthcare payers, and legislators to petition the FDA to make the guidelines regulatory. Otherwise, medical device manufacturers could ignore the guidelines altogether,” Scott and Spaniel wrote.

The authors also note that adopting the guidelines can provide device manufacturers with long-term competitive advantage over their competitors. “The medical device market is flush with similar products from numerous manufacturers. No rational buyer would purchase an untrusted device when a comparable product comes with assurance of greater device integrity. Compliance with the FDA guidelines provides a demonstrative differentiating factor that compliant device manufacturers can market to healthcare providers and end users,” Scott and Spaniel wrote.

And the authors conclude, “The cyber threat is real and bad actors are continuously evolving in both stealth and sophistication. Regardless of how medical device manufacturers and healthcare providers receive the guidelines, the FDA has clearly indicated that medical device cyber security is a priority. The healthcare community should note the gesture and take the initiative to assess their own networks and improve their cybersecurity.”

The deadline for comments on the FDA guidelines is April 21.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Survey: Infrastructure, Interoperability Key Barriers to Global HIT Development

A new survey report from Black Book Research on global healthcare IT adoption and records systems connectivity finds nations in various phases of regional electronic health record (EHR) adoption. The survey results also reveal rapidly advancing opportunities for U.S.-based and local technology vendors.

Penn Medicine Opens Up Telehealth Hub

Philadelphia-based Penn Medicine has opened its Center for Connected Care to centralize the health system’s telemedicine activities.

Roche to Pay $1.9B for Flatiron Health

Switzerland-based pharmaceutical company Roche has agreed to pay $1.9 billion to buy New York-based Flatiron Health Inc., which has both an oncology EHR and data analytics platform.

Financial Exec Survey: Interoperability Key Obstacle to Value-Based Payment Models

Momentum continues to grow for value-based care as nearly three-quarters of healthcare executives report their organizations have achieved positive financial results from value-based payment programs, to date, according to a new study from the Healthcare Financial Management Association (HFMA).

Cerner, Children's National to Help UAE Pediatric Center with Health IT

Al Jalila Children's Specialty Hospital, the only pediatric hospital in the United Arab Emirates, has entered into an agreement with Washington, D.C.-based Children's National Health System to form a health IT strategic partnership.

Telemedicine Association Names New CEO

The American Telemedicine Association (ATA) has named Ann Mond Johnson its new CEO, replacing Jon Linkous who stepped down suddenly last August after 24 years as the organization’s CEO.