Medical Device Cybersecurity Needs Enforceable Regulations, Not Just Suggestions, ICIT Says | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Medical Device Cybersecurity Needs Enforceable Regulations, Not Just Suggestions, ICIT Says

February 17, 2016
by Heather Landi
| Reprints
Click To View Gallery

The Institute for Critical Infrastructure Technology (ICIT) this week released a critical analysis of the U.S. Food and Drug Administration’s (FDA) guidance on medical device cybersecurity and argues that “subtle suggestions” are not enough.

ICIT is a non-partisan organization that acts as a conduit between the private sector, federal agencies and legislative community with the goal of supporting and protecting the country’s technology infrastructures. The report, “Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle ‘Suggestions’ May Not Be Enough,” criticizes the agency for falling short on implementing enforceable regulations over medical device manufacturers.

“In practically all matters of cybersecurity within the health sector, the FDA seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed,” wrote the authors of the report, James Scott, senior fellow at the ICIT, and Drew Spaniel, visiting scholar, Carnegie Mellon University. “The argument against enforcing cybersecurity standards typically centers on the idea that a regulatory presence stifles innovation. Due to the industry’s continuous lack of cybersecurity hygiene, malicious EHR exfiltration and exploiting vulnerabilities in healthcare’s IoT attack surface continue to be a profitable priority target for hackers.”

The authors point out that the latest action by the FDA underscores its position that medical device cybersecurity is a priority for the health sector.  “However, despite the implied sense of urgency, the FDA has chosen not to implement enforceable regulations over medical device manufacturers,” they wrote.

As previously reported by Healthcare Informatics, in January the FDA issued the “Draft Guidance for Industry and Food and Drug Administration Staff,” advising medical device manufacturers to address cybersecurity “throughout a product’s lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.” The guidelines offer a voluntary framework that organizations can build upon to ensure that their cybersecurity policies, procedures, and strategies proactively address cybersecurity risks in medical devices.

According to the ICIT report, the recommendations build upon NIST’s 2014 “Framework for Improving Critical Infrastructure Cybersecurity,” which in turn was published in response to an executive order from President Obama advocating the development of a standardized cybersecurity framework that identifies, detects, protects against, responds, and recovers from cybersecurity risk.

In the report, Scott and Spaniel argue that manufacturers can choose not to follow the guidelines issued by the FDA, but “this freedom,” they wrote, “should not result in the failure to secure medical devices from cyber threats due to knowledgeable disregard, inefficient budget allocation, or lack of trained cybersecurity personnel.” They continued, “Patients who rely on medical devices should not suffer due to the failure of device manufacturers with lackadaisical cybersecurity standards.”

Scott and Spaniel also emphasize that the healthcare sector is at elevated risk to targeted attacks “because lack of regulatory device security and the expansive victim pool makes hospitals and healthcare providers tantalizing targets.” “Healthcare networks tend to be less secure than comparable networks in other critical infrastructure sectors because cybersecurity only recently became a priority. Further, patient data is more valuable than other target data because its invariant nature means that victims can be exploited for a significant amount of time,” they wrote.

The ICIT report also offers a number of recommendations for the healthcare community, such as cybersecurity mitigation strategies and the need to characterize and assess detected vulnerabilities in order to triage remediation activities in the organization and in the healthcare community.

Scott and Spaniel assert that the medical device community is compliance-oriented and that, currently, healthcare device manufacturers and healthcare providers have the ability to ignore the FDA’s recommendations. “However, it is in the best interest of each organization and the community at large if the target audience pays attention to the FDA’s underlying message to adopt a comprehensive risk-based  cybersecurity program,” they wrote.

“Interested stakeholders have 90 days from the January release of the guidelines to submit comments and suggestions to the FDA about the guidelines. It may be beneficial to healthcare providers, healthcare payers, and legislators to petition the FDA to make the guidelines regulatory. Otherwise, medical device manufacturers could ignore the guidelines altogether,” Scott and Spaniel wrote.

The authors also note that adopting the guidelines can provide device manufacturers with long-term competitive advantage over their competitors. “The medical device market is flush with similar products from numerous manufacturers. No rational buyer would purchase an untrusted device when a comparable product comes with assurance of greater device integrity. Compliance with the FDA guidelines provides a demonstrative differentiating factor that compliant device manufacturers can market to healthcare providers and end users,” Scott and Spaniel wrote.

And the authors conclude, “The cyber threat is real and bad actors are continuously evolving in both stealth and sophistication. Regardless of how medical device manufacturers and healthcare providers receive the guidelines, the FDA has clearly indicated that medical device cyber security is a priority. The healthcare community should note the gesture and take the initiative to assess their own networks and improve their cybersecurity.”

The deadline for comments on the FDA guidelines is April 21.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.

Analysis: Healthcare Ransomware Attacks Decline in First Half of 2018

In the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a new report form cybersecurity firm Cryptonite.

Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.