The FDA’s new cybersecurity guidelines may not be enough to keep medical devices safe, according to two Institute for Critical Infrastructure Technology (ICIT) authors.
The guidelines, titled “Draft Guidance for Industry and Food and Drug Administration Staff,” were released Jan. 15, and detail a set of suggestions for medical device manufacturers to keep their products safe from cyber threat.
However, in a blog post titled “Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle ‘Suggestions’ May Not Be Enough,” James Scott, a senior fellow at ICIT, and Drew Spaniel, a visiting scholar from Carnegie Mellon University, suggested that the guidelines needed more to become truly effective. They note that not only are medical devices particularly susceptible to cyberattack, but that those attacks could cost lives.
The FDA guidelines attempt to unify health organizations in their cybersecurity approaches, in order to fully protect patient safety. They also include the implementation of the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity principles of “Identify, Protect, Detect, Respond, and Recover.”
“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Suzanne Schwartz, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health. “Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cybersecurity threats.”
Scott and Spaniel, however, worry that simply encouraging the medical device manufacturers isn’t enough.
“It may be beneficial to health care providers, health care payers, and legislators to petition the FDA to make the guidelines regulatory,” the authors wrote. “Otherwise, medical device manufacturers could ignore the guidelines altogether.”
The health care community has 90 days to comment on the guidelines, during which time it can make suggestions for additions or changes.
Scott noted that the guidelines are not exactly innovative ideas. In November 2015, ICIT hosted an event called “Hacking Hospitals” on Capitol Hill to address the growing threats facing health care organizations.
“If you take that event and add the NIST framework, that’s it, that’s the FDA guidelines,” Scott said in a separate interview. Since the NIST framework was published in 2014, Scott argued that if the health care community were going to implement it, they would have done so by now.
Medical manufacturers may have enough incentive to implement greater cybersecurity on their own. Scott noted that Philips Healthcare already brings hackers in to hack its own devices before they go on the market. One motivation may be monetary, as increased cybersecurity can benefit the companies’ bottom lines.
“No rational buyer would purchase an untrusted device when a comparable product comes with assurance of greater device integrity,” the authors wrote. “Compliance with the FDA guidelines provides a demonstrative differentiating factor that compliant device manufacturers can market to health care providers and end users.”
Still, the FDA guidelines do not cover many important cybersecurity factors in medical technology. Scott noted that the biggest threats in 2016 would be vast, including the human component, malicious code, ransomware, third–party cybersecurity, the Internet of Things, sensors, embedded devices, data-sharing in the cloud, and more.
“When they’re talking about the medical device cybersecurity side, none of these things came up,” Scott said of the FDA guidelines. “There’s no health IT renaissance coming out of these recommendations.”
That renaissance may come when greater attention is paid to the organizations and legislators who are actively working to better medical cybersecurity.
“Very few people on the Hill are doing anything, so the people who are doing something should be recognized,” Scott said. He emphasized that senators like Patty Murray, D-Wash., and Lamar Alexander, R-Tenn., have been creating forums for dialogue through the Senate Health, Education, Labor, and Pensions (HELP) committee. In issues of telehealth, the Department of Veterans Affairs, as well as those supporting the “Telehealth and Innovation Improvement Act,” are making significant strides.
“In 2015, there were over 200 pieces of legislation in 42 states to expand telehealth,” Scott said. “That tells us something.”
Issues of telehealth were not addressed in the FDA guidelines. Though these guidelines have a long way to go before effecting significant change, Scott is not all negative.
“I think it’s a really good start,” he concluded.