Medical Device Cybersecurity Needs Enforceable Regulations, Not Just Suggestions, ICIT Says | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Medical Device Cybersecurity Needs Enforceable Regulations, Not Just Suggestions, ICIT Says

February 17, 2016
by Heather Landi
| Reprints
Click To View Gallery

The Institute for Critical Infrastructure Technology (ICIT) this week released a critical analysis of the U.S. Food and Drug Administration’s (FDA) guidance on medical device cybersecurity and argues that “subtle suggestions” are not enough.

ICIT is a non-partisan organization that acts as a conduit between the private sector, federal agencies and legislative community with the goal of supporting and protecting the country’s technology infrastructures. The report, “Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle ‘Suggestions’ May Not Be Enough,” criticizes the agency for falling short on implementing enforceable regulations over medical device manufacturers.

“In practically all matters of cybersecurity within the health sector, the FDA seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed,” wrote the authors of the report, James Scott, senior fellow at the ICIT, and Drew Spaniel, visiting scholar, Carnegie Mellon University. “The argument against enforcing cybersecurity standards typically centers on the idea that a regulatory presence stifles innovation. Due to the industry’s continuous lack of cybersecurity hygiene, malicious EHR exfiltration and exploiting vulnerabilities in healthcare’s IoT attack surface continue to be a profitable priority target for hackers.”

The authors point out that the latest action by the FDA underscores its position that medical device cybersecurity is a priority for the health sector.  “However, despite the implied sense of urgency, the FDA has chosen not to implement enforceable regulations over medical device manufacturers,” they wrote.

As previously reported by Healthcare Informatics, in January the FDA issued the “Draft Guidance for Industry and Food and Drug Administration Staff,” advising medical device manufacturers to address cybersecurity “throughout a product’s lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.” The guidelines offer a voluntary framework that organizations can build upon to ensure that their cybersecurity policies, procedures, and strategies proactively address cybersecurity risks in medical devices.

According to the ICIT report, the recommendations build upon NIST’s 2014 “Framework for Improving Critical Infrastructure Cybersecurity,” which in turn was published in response to an executive order from President Obama advocating the development of a standardized cybersecurity framework that identifies, detects, protects against, responds, and recovers from cybersecurity risk.

In the report, Scott and Spaniel argue that manufacturers can choose not to follow the guidelines issued by the FDA, but “this freedom,” they wrote, “should not result in the failure to secure medical devices from cyber threats due to knowledgeable disregard, inefficient budget allocation, or lack of trained cybersecurity personnel.” They continued, “Patients who rely on medical devices should not suffer due to the failure of device manufacturers with lackadaisical cybersecurity standards.”

Scott and Spaniel also emphasize that the healthcare sector is at elevated risk to targeted attacks “because lack of regulatory device security and the expansive victim pool makes hospitals and healthcare providers tantalizing targets.” “Healthcare networks tend to be less secure than comparable networks in other critical infrastructure sectors because cybersecurity only recently became a priority. Further, patient data is more valuable than other target data because its invariant nature means that victims can be exploited for a significant amount of time,” they wrote.

The ICIT report also offers a number of recommendations for the healthcare community, such as cybersecurity mitigation strategies and the need to characterize and assess detected vulnerabilities in order to triage remediation activities in the organization and in the healthcare community.

Scott and Spaniel assert that the medical device community is compliance-oriented and that, currently, healthcare device manufacturers and healthcare providers have the ability to ignore the FDA’s recommendations. “However, it is in the best interest of each organization and the community at large if the target audience pays attention to the FDA’s underlying message to adopt a comprehensive risk-based  cybersecurity program,” they wrote.

“Interested stakeholders have 90 days from the January release of the guidelines to submit comments and suggestions to the FDA about the guidelines. It may be beneficial to healthcare providers, healthcare payers, and legislators to petition the FDA to make the guidelines regulatory. Otherwise, medical device manufacturers could ignore the guidelines altogether,” Scott and Spaniel wrote.

The authors also note that adopting the guidelines can provide device manufacturers with long-term competitive advantage over their competitors. “The medical device market is flush with similar products from numerous manufacturers. No rational buyer would purchase an untrusted device when a comparable product comes with assurance of greater device integrity. Compliance with the FDA guidelines provides a demonstrative differentiating factor that compliant device manufacturers can market to healthcare providers and end users,” Scott and Spaniel wrote.

And the authors conclude, “The cyber threat is real and bad actors are continuously evolving in both stealth and sophistication. Regardless of how medical device manufacturers and healthcare providers receive the guidelines, the FDA has clearly indicated that medical device cyber security is a priority. The healthcare community should note the gesture and take the initiative to assess their own networks and improve their cybersecurity.”

The deadline for comments on the FDA guidelines is April 21.

 

Topics

News

Former Michigan Governor to Serve as Chair of DRIVE Health

Former Michigan Governor John Engler will serve as chair of the DRIVE Health Initiative, a campaign aimed at accelerating the U.S. health system's transition to value-based care.

NJ Medical Group Launches Statewide HIE, OneHealth New Jersey

The Medical Society of New Jersey (MSNJ) recently launched OneHealth New Jersey, a statewide health information exchange (HIE) that is now live.

Survey: 70% of Providers Using Off-Premises Computing for Some Applications

A survey conducted by KLAS Research found that 70 percent of healthcare organizations have moved at least some applications or IT infrastructure off-premises.

AMIA Warns of Tax Bill’s Impact on Graduate School Programs in Informatics

Provisions in the Republican tax bill that would count graduate student tuition waivers as taxable income would have detrimental impacts on the viability of fields such as informatics, according to the American Medical Informatics Association.

Appalachia Project to Study Relationship Between Increased Broadband Access, Improved Cancer Care

The Federal Communications Commission and the National Cancer Institute have joined forces to focus on how increasing broadband access and adoption in rural areas can improve the lives of rural cancer patients.

Survey: By 2019, 60% of Medicare Revenues will be Tied to Risk

Medical groups and health systems that are members of AMGA (the American Medical Group Association) expect that nearly 60 percent of their revenues from Medicare will be from risk-based products by 2019, according to the results from a recent survey.