Report calls out weak FDA stance on medical device cybersecurity, favors stronger regulation
A report this week from the Institute for Critical Infrastructure Technology, a bipartisan collaborative meant to bridge the gap between federal agencies and private-sector leaders in the interest of protecting the nation's technology backbone, claims recent guidance from U.S. Food and Drug Administration for device makers falls way short.
"In practically all matters of cybersecurity within the health sector, the FDA seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed," write ICIT Senior Fellow James Scott and Drew Spaniel, a visiting scholar at Carnegie Mellon University, in the report.
Specifically, the study, "Assessing the FDA's Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle 'Suggestions' May Not Be Enough," knocks the agency for failing to implement enforceable regulations for manufacturers.
"The argument against enforcing cybersecurity standards typically centers on the idea that a regulatory presence stifles innovation," they said. "Due to the industry’s continuous lack of cybersecurity hygiene, malicious EHR exfiltration and exploiting vulnerabilities in healthcare’s IoT attack surface continue to be a profitable priority target for hackers."
The FDA recently published its "Draft Guidance for Industry and Food and Drug Administration Staff," which underscores that cybersecurity for medical devices has emerged as a top priority for the healthcare industry.
But while it's appropriate for FDA to be doing more to highlight the nature of the threat, it's also worth noting that the medical device community is "compliance-oriented," Scott and Spaniel said.
"Currently, healthcare device manufacturers and healthcare providers have the ability to ignore the FDA’s recommendations," they said in the report. "However, it is in the best interest of each organization and the community at large if the target audience pays attention to the FDA’s underlying message to adopt a comprehensive risk-based cybersecurity program.
"Interested stakeholders have 90 days from the January release of the guidelines to submit comments and suggestions to the FDA about the guidelines," they added. "It may be beneficial to healthcare providers, healthcare payers, and legislators to petition the FDA to make the guidelines regulatory. Otherwise, medical device manufacturers could ignore the guidelines altogether."
[Like Healthcare IT News on Facebook]
This isn't the first time FDA has been criticized for issuing public statements that call attention to the severity of device security but do little to enforce safety practices by manufacturers.
In 2013, for instance, a so-called "safety communication" from the agency called on manufacturers, clinical staff and hospital IT and security departments to safeguard against cyberattacks but did little to enforce change.
Noting that FDA "is at a critical point in this ecosystem to correct the path of vendors, manufacturers and administrators," information security expert Gunter Ollmann at the time said the communication was "wishy-washy in its description of the threat and actions to correct the threat. It's as if it had to pass through multiple committees and each watered it down to become what it is today. It should have been a call to arms, with a clear communication of how serious the problem is."