Hospital Group Calls on FDA to Get Tougher with Device Manufacturers on Cybersecurity

Posted December 12, 2017

Resources for You

AAMI has several resources that address cybersecurity in healthcare technology. They include:

  • AAMI TIR57, Principles for medical device security—Risk Management.
  • The 80001 series of technical information reports (TIRs) dealing with the application of risk management for IT networks incorporating medical devices.
  • Poster: Top 10 Ways to Mitigate the Risk and Effects of Cyberattacks on Medical Devices

A national organization representing hospitals of all sizes is calling on the Food and Drug Administration (FDA) to hold manufacturers of medical devices “accountable” for their cybersecurity practices and to flex new muscle in its oversight of industry on this front.

In a Dec. 7 letter to the FDA, the American Hospital Association (AHA) highlighted recent global ransomware attacks—notably the WannaCry worm that struck this past May—suggesting that manufacturers are not doing all they can to keep medical devices safe and secure.

“The FDA must provide greater oversight of medical device manufacturers with respect to the security of their products,” wrote the AHA. “Manufacturers must be held accountable to proactively minimize risk and continue updating and patching devices as new intelligence and threats emerge.”

Additionally, the AHA claimed that manufacturers were “slow to provide needed information about their products” when WannaCry stuck and, in general, have been slow to address the cybersecurity challenge of legacy devices.

“While the FDA has released both pre- and postmarket guidance to device manufacturers on how to secure systems, the device manufacturers have yet to resolve concerns, particularly for the large number of legacy devices still in use,” the AHA wrote.

The letter comes at a time of increased awareness of and sensitivity to cybersecurity vulnerabilities in the healthcare sector as a whole. Many stakeholders are under financial and legal pressure—through the prospect of lawsuits should there be a breach—to bolster their cybersecurity practices, both to maintain the functionality of devices and to safeguard confidential patient data.

“We are now operating a highly vulnerable ecosystem of medical devices that could be exploited to harm patients,” warned Axel Wirth, a cybersecurity expert with Symantec and a member of the BI&T Editorial Board. He made his comments in an essay published in the fall edition of Horizons, AAMI’s peer-reviewed supplement to BI&T.

This fall issue of Horizons focuses on cybersecurity in healthcare and is full of articles and case studies on what both device manufacturers and hospitals are doing to address the challenge.

Meanwhile, the AHA said it its letter that it wants the FDA to “set clear measurable expectations for manufacturers” when it comes to cybersecurity of devices and “play a more active role during cybersecurity attacks.”