AHA to FDA: Hold med device makers responsible for cybersecurity

Medical device cybersecurity should be the responsibility of device makers, according to the American Hospital Association.

In a recent letter to the U.S. Food and Drug Administration, AHA Senior Vice President of Public Policy Analysis and Development Linda Fishman called on the agency to "hold device manufacturers accountable" for ensuring the safety of medical devices from cyberthreats. The letter was in response to a request for comments published by the FDA in late September on collaborative approaches for medical device and healthcare cybersecurity.

In early October, the FDA published a final guidance document outlining measures it believes medical device manufacturers must take to ensure the safety and security of their tools in the face of growing cyberthreats. In that document, the agency called on device makers to account for cybersecurity risks during design and creation, and to submit documentation on any risks identified and manufacturers' plans for patching and updating medical software and operating systems.

The ECRI Institute last week listed cybersecurity of medical devices and healthcare IT as one of its top health technology hazards to watch for in 2015.

"Hospitals and health systems must consider the full spectrum of cyberthreats, not just those involving medical devices," Fishman wrote. "However, medical devices have been identified as key vulnerabilities and high-risk areas for the security of hospitals' overall information systems. The [healthcare and public health] sector cannot successfully protect against cyber risk unless all parts of the sector actively manage risk."

Device makers also must "proactively minimize risk," update and patch devices as new threats emerge and participate in information sharing to maximize preparedness, according to Fishman.

"Given the interconnected nature of healthcare today, the AHA would discourage the formation of a separate, stand-alone information-sharing forum for the medical device community, although we recognize that separate activities within the medical device sector may be useful for technical conversations," she said.

The National Institute of Standards and Technology, last month, created draft guidelines to help organizations--including those in the healthcare industry--share information during and after cyberattacks.  

To learn more:
- read Fishman's letter (.pdf)