Who is responsible for the cybersecurity of medical devices? The makers of those devices.
That anyway is the position of the American Hospital Association (AHA), which made its point in comments submitted to the U.S. Food and Drug Administration (FDA).
The issue of cybersecurity in healthcare technology is a hot topic, especially with the FDA’s release this fall of a final guidance document for manufacturers on the subject. Additionally, in late October, the agency joined with the Department of Homeland Security (DHS) for a workshop to develop collaborative approaches on tackling cyberthreats. It asked interested parties to answer questions ahead of the event in a Federal Register notice, and AHA’s comments address these topics.
In the comments, Linda Fishman, AHA’s senior vice president for public policy analysis and development, said hospitals are taking cyberthreats seriously, particularly as healthcare has become more interconnected. She also urged the medical device industry to be a major player in managing risks, writing that medical devices “have been identified as key vulnerabilities and high-risk areas for the security of hospitals’ overall information systems.” It is the responsibility of industry, she wrote, to “actively manage risk,” including taking steps to minimize risk in the first place and then patching and updating devices as new threats emerge.
The AHA comments also addressed the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, released in February 2014. The institute says that the framework is designed to help the financial, energy, healthcare, and other critical sectors protect their information and physical assets from cyberattacks.
“As the makers of a key component of modern healthcare, medical device manufacturers should embrace their role in assessing the applicability of the NIST Framework to their products, and use it as a springboard to make improvements in medical device security,” Fishman wrote.
During the FDA-DHS workshop this fall, Jeff Secunda, vice president of technology and regulatory affairs at AdvaMed, stressed a more collaborative approach when it comes to the cybersecurity of medical devices. Collaboration is “basically what I do every day,” he said, pointing out that he works with the trade group’s members, the government, and other organizations. He added that it is important to clearly define how the various actors will collaborate. AdvaMed officials declined to comment on the AHA’s position.
A recent report from the Scottsdale Institute, a nonprofit membership organization of prominent healthcare systems, demonstrates how big of a concern cybersecurity is for healthcare facilities and includes comments from chief information officers (CIOs) about the subject. “If the government of China is trying to hack us, we are probably not going to be able to stop them,” said Robert Eardley, CIO at Houston Methodist Hospital. Still, many hospital executives say they have strategies in place, including end-to-end security standards, training for end users, and proactive monitoring and rapid response.