ICIT on FDA guidance: Regulatory enforcement needed on med device cybersecurity

Draft cybersecurity guidelines for devicemakers recently released by the U.S. Food and Drug Administration are too "subtle," despite showing that security of medical devices is a priority, according to the Institute for Critical Infrastructure Technology (ICIT).

The FDA is offering suggestions at a stage where "regulatory enforcement is needed," James Scott, senior fellow at ICIT, which advises decision makers on technology and cybersecurity trends, and Drew Spaniel, a visiting scholar at Carnegie Mellon University, write in an assessment of the guidelines. 

The agency issued its new draft guidance on postmarket cybersecurity of medical devices in January, following up on guidance published in October 2014 outlining how medical devicemakers should address cybersecurity risks in the pre-market design of their products.

The FDA, in the most recent guidance, says it's essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation that includes complaint handling, quality audit, corrective and preventive action, risk analysis and more. It also urges manufacturers to address cybersecurity throughout the product lifecycle.

Scott and Spaniel write that because the FDA offers recommendations and not regulations, "the organization can choose not to follow the guidelines issued by the FDA."

"However, this freedom should not result in the failure to secure medical devices from cyberthreats due to knowledgeable disregard, inefficient budget allocation, or lack of trained cybersecurity personnel," they write.

They add that while some in the industry say regulations could impede innovation, "due to the industry's continuous lack of cybersecurity hygiene ... [it will] continue to be a profitable priority target for hackers." In fact, an ICIT report released at the end of last month found that healthcare is the most targeted yet least prepared sector in the U.S. when it comes to cyberattacks.

The authors also criticize the FDA's stance on when attacks must be reported. Transparency and information sharing is more important than ever, they say, but the FDA's guidance only calls for incidents to be reported if they "compromise the essential clinical performance" of the device and have a high likelihood of resulting in serious harm or death.

Scott and Spaniel say that informing the healthcare community about any incidence of vulnerability or exploit "would increase the proactive security and awareness of the community at large."

To learn more:
- here's the assessment (.pdf)