Seven Cybersecurity Myths Put to the Test

Posted February 28, 2017

At last week’s HIMSS17 conference in Orlando, FL, Seth Carmody, senior program manager for medical device cybersecurity at the Food and Drug Administration (FDA), debunked four myths pertaining to the agency’s oversight of medical device cybersecurity. Since so many other misconceptions remain, we decided to add a bit of myth-busting of our own.

Myth 1: The FDA has sole regulatory responsibility for medical device cybersecurity.

There are actually several federal agencies responsible for regulating medical device cybersecurity, including the Department of Homeland Security and the Department of Health and Human Services. Carmody said collaboration between federal agencies is a necessity, not a “kumbaya thing,” according to a report from FierceHealthcare.

Myth 2: Medical device manufacturers can’t issue updates or patches without FDA approval.

In its postmarket cybersecurity guidance, the FDA states: “For cybersecurity routine updates and patches, the FDA will, typically, not need to conduct premarket review to clear or approve the medical device software changes.” The only security updates that need approval are those “made to remediate vulnerabilities associated with a reasonable probability that use of, or exposure to, the product will cause serious adverse health consequences or death,” as they are not considered routine.

Myth 3: The FDA tests medical devices for cybersecurity vulnerabilities.

The FDA doesn’t test devices at all. Instead, it relies on manufacturers, healthcare delivery organizations, and others to provide reports and information on potential postmarket safety concerns. When it comes to cybersecurity risks, “information may originate from an array of sources, including independent security researchers, in-house testing, suppliers of software or hardware technology, healthcare facilities, and information-sharing and analysis organizations,” according to the FDA’s postmarket guidance.

Myth 4: Healthcare organizations can never fix or update a device to improve cybersecurity.

The FDA generally promotes a collaborative approach to device updates because in its view, “it is rare for healthcare organizations to have enough technical resources and information on the design of medical devices to independently maintain medical device software." However, according to FierceHealthcare, organizations can issue simple patches or updates involving some devices, but they will assume the risk associated with that update.

Myth 5: Cybersecurity is an IT department issue.

Cybersecurity in healthcare delivery organizations relies on all departments, across all levels. “Silos in healthcare are creating more risk. Cross-functional teams need to own and manage risk with the systems approach in 80001,” wrote the authors of Health IT Risk Management, referencing the 80001 series of standards. “Managing risk in silos will fail.” As cybersecurity expert Axel Wirth noted in a column for BI&T, AAMI’s peer-reviewed journal, “Cybersecurity has to become part of an organization’s culture and everybody’s responsibility.”

Myth 6: Only big businesses and organizations are under attack.

"Criminals used to go after larger companies, but as they have increased their cyber arsenals, the threats have trickled down to [small and midsize businesses], which are less prepared, have fewer resources, and huge amounts of sensitive information," Ebba Blitz, CEO of encryption software company Alertsec, told TechRepublic. Any healthcare facility that is connected to the Internet is at risk. In 2016, cybercriminals targeted hospitals, skilled nursing facilities, ambulatory surgical centers, MRI/CT scan facilities, diagnostic laboratories, urology centers, physical therapists, physician practices, and more, based on research conducted by TrapX Labs.

Myth 7: If manufacturers made devices even more secure, hospitals wouldn’t need to worry about cybersecurity.

With the FDA’s new cybersecurity guidance and AAMI TIR57, Principles for medical device security―Risk management, manufacturers have resources to continue to develop and improve the security of their devices. However, vulnerabilities can exist on hospital IT networks, independent of any one device. There also has to be a “culture of safety” that includes shared responsibility and involvement among healthcare organizations, clinicians, and vendors/developers. The 80001 series of standards is one tool that can help hospitals apply risk management practices to their IT networks incorporating medical devices.

For more cybersecurity resources, visit