The College of Healthcare Information Management Executives lauds the U.S. Food and Drug Administration for its work on medical device cybersecurity in a recent letter, but also says that increased collaboration between manufacturers and providers is critical.
The letter is in response to request for comment on guidance the FDA released in January focused on postmarket cybersecurity of medical devices. That guidance was a follow up to one published in October 2014 outlining how medical device makers should address cybersecurity risks in the pre-market design of their products.
CHIME's comments on the guidance cover the organization's overall reflections, commentary on the postmarket guidance and responses to specific questions from the FDA.
Its major recommendations include:
- The Health and Human Services Department should create a certification program for the device industry to "ensure that devices being purchased have met vigorous testing and cybersecurity quality controls"
- The FDA should work with HHS's Office for Civil Rights to make sure implementation guidance is better aligned; the Cybersecurity Act of 2015 requires HHS to create a plan showing how it will address cybersecurity issues in the industry
- Participation in Information Sharing and Analysis Organizations (ISAOs) should be a requirement to better the relationship between providers and manufacturers
- The FDA should set up a hotline that providers can call if they run into issues with device makers who say they can't fix a security risk without agency clearance
- The risk framework should be standardized, "not just offered as guidance"
Rep. James Langevin (D-R.I.) also recently published comments supporting the FDA's guidance, saying it "would make substantial progress" in the medical device security arena and applauding the guidance's emphasis on risk-based cybersecurity.
He adds that the FDA, in addition to promoting the guidance, "has an important responsibility to ensure that manufacturers are properly complying with the proposed mitigation methods or are properly reporting cybersecurity risks."
The agency also should build upon industry collaborations and advance work with manufacturers, patients, IT experts, security researchers, and others, Langevin says.