FDA Delivers Medical Device Security Guidelines - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
01:00 PM

FDA Delivers Medical Device Security Guidelines

As the FDA attempts to bolster the security of medical devices, some experts warn that guidance is too little, too late.

25 Years Of Health IT: A Complicated Journey
25 Years Of Health IT:
A Complicated Journey
(Click image for larger view and slideshow.)

In an effort to make the rapidly growing world of medical devices more transparent and secure, the Food and Drug Administration (FDA) published a new set of recommendations this month.

"There is no such thing as a threat-proof medical device," Dr. Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health, said in a press release. "It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks."

In the new guidelines, the FDA suggests steps to protect devices that contain software, including firmware or programmable logic, or that act as a medical device. This month, the agency plans to hold a public workshop to discuss the topic further.

To safeguard patients and their data, the FDA advocates that developers take the following precautions:

  • Identify assets, threats, and vulnerabilities.
  • Assess the impact of threats and vulnerabilities on device functionality and end users.
  • Rate the likelihood of a threat or vulnerability being exploited.
  • Determine risk levels and mitigation strategies.
  • Assess residual risk and risk acceptance criteria.

[Medical devices are not immune to hacker attacks. Read FDA Pushes To Improve Medical Device Security.]

Today 47% of healthcare providers and payer respondents have integrated consumer products such as wearables or operational technologies such as automated pharmacy-dispensing systems, according to a PwC report. But only 53% implemented security controls for these devices, the study found.

But according to some, the FDA's guidelines are too little, too late.

"The FDA's recently released guidelines for medical device security focus largely on securing the device at the point of manufacture. Ask any IT administrator tasked with BYOD security, and they'll tell you device security isn't the answer," Ryan Kalember, chief product officer at WatchDox, told InformationWeek. "As with the BYOD challenge, it's not the device that's at risk; it's the data. Health data isn't going to stay on the device forever. To be useful, data must be accessed, analyzed, and reported. And data is far more vulnerable when it's in transit from the device to a web-based dashboard, for instance. For that reason, I do not think the FDA's approach will be adequate in protecting healthcare companies from security breaches."

Chris Petersen, chief technology officer and co-founder of LogRhythm, said the FDA waited far too long to release these guidelines. "Healthcare providers are not unique in having applied the majority of their security focus on keeping adversaries out, focusing less on internal defenses. This typically means, once an adversary is in, they find themselves within a highly vulnerable environment they can further exploit," he said.

"What is unique to healthcare environments are the number of IP-connected medical devices that typically have not been hardened to withstand cyberthreats -- at all. Manufacturers of medical devices have focused first on delivering to the needs of the patient. Securing these devices from advanced threats has not been a mandate and is typically not a focus. The FDA's guidance puts a focus on devices going forward, but it doesn't address the millions of IP-enabled devices currently in operation across healthcare networks globally."

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep getting your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail (free registration required).

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Flash Poll