Watchdog calls for stronger FDA to thwart would-be hackers of medical devices
In January, the FDA issued draft guidance advising medical-device manufacturers to think through cybersecurity concerns for the entire life cycle of each of their products. This week a nonprofit, nonpartisan think tank called phooey on the advisement and urged the healthcare IT community to weigh in on the draft by its April 21 comments deadline.
“In practically all matters of cybersecurity within the health sector,” contends the Institute for Critical Infrastructure Technology (ICIT) in a report posted online, “the FDA seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed.”
The authors of the six-page report, James Scott, of ICIT, and Drew Spaniel, a visiting scholar at Carnegie Mellon University, spell out the roots of their desire to see FDA back up its words with actions.
At the heart of the agency’s soft stance, they write, is the notion that regulation stifles innovation.
“Due to the industry’s continuous lack of cybersecurity hygiene,” they write, “malicious EHR exfiltration and exploiting vulnerabilities in healthcare’s [Internet of Things] attack surface continue to be a profitable priority target for hackers.”
Meanwhile the healthcare sector is at elevated risk to targeted attacks, the authors note, “because lack of regulatory device security and the expansive victim pool makes hospitals and healthcare providers tantalizing targets. Healthcare networks tend to be less secure than comparable networks in other critical infrastructure sectors because cybersecurity only recently became a priority.”
What’s more, patient data is more valuable than other target data “because its invariant nature means that victims can be exploited for a significant amount of time.”
The January guidelines, Scott and Spaniel add, merely clarify when information must be reported as part of post-market “cybersecurity device hygiene.”
“Only cybersecurity vulnerabilities and exploits that ‘compromise the essential clinical performance’ of the device and have a high likelihood of resulting in serious harm or death as a result of exploitation must be reported to the FDA,” they point out. “Actions taken to mitigate non-critical vulnerabilities or exploits may be considered ‘cybersecurity routine updates and patches’” and so do not have to be reported.
The authors wrap up their argument by stating that the cyber threat to healthcare “is real, and bad actors are continuously evolving in both stealth and sophistication. Regardless of how medical device manufacturers and healthcare providers receive the guidelines, the FDA has clearly indicated that medical device cyber security is a priority. The healthcare community should note the gesture and take the initiative to assess their own networks and improve their cybersecurity.”
To read the full report, which includes links to the relevant FDA documents, click here.