As discussed in Jonathan Langer’s recent article, there is an increasing focus on ensuring that the medical devices that keep patients healthy are secured against cybersecurity threats. There are tens of millions of medical devices connected to the internet, and security tools designed for non-healthcare technologies are not the right fit for devices tasked with keeping patients alive.
The FDA has taken a strong stance on medical device security, issuing 2016's Postmarket Guidance for Medical Device Cybersecurity, and 2018's Premarket Guidance for Medical Device Cybersecurity (Draft). While these documents highlight that device security is a "shared responsibility" between medical device manufacturers (MDMs) and hospitals (HDOs), it's clear that the problem impacts MDMs and HDOs in very different ways.
Midmark Workstations are made to order with customization that can assist with the integration of telehealth and other technology at the point of care, wherever that may be. See more>>>
If a medical device were to be hacked in a clinical setting, it could disrupt the delivery of care, or even harm a specific patient. A 2018 study by researchers at Vanderbilt University found that over 2,100 patient deaths annually are related to data breaches at hospitals.Yet many hospitals have contracts with their device vendors that place some (or all) of the liability of cybersecurity incidents on the MDM, especially in the case of Protected Health Information (PHI) breaches. Also, the FDA doesn't have purview over hospitals that would allow them to shut down a hospital that had poor security practices.
If a vulnerability is found in a medical device, the vulnerability likely needs to be fixed, which means software engineering work done by the MDM. A recall may ensue, which results in lost revenue to the device vendor. And the device vendor's brand could suffer, making it more challenging to sell that product to hospitals in the future.
For this reason, much of the FDA's pre- and postmarket guidance has focused on what medical device vendors need to be doing to build medical devices that are secure by design. This has placed the onus of responsibility disproportionately on the shoulders of MDMs.
The FDA and hospitals, like the Mayo Clinic, are demanding a proactive approach to security from medical device manufacturers. The Premarket Guidance requires MDMs to build security features, like encryption, cryptographic signature verification, and intrusion detection into their devices. They've also incentivized MDMs to patch vulnerabilities quickly, and to participate in coordinated disclosure with the healthcare community when vulnerabilities are found. This requires a tremendous organizational shift for most MDMs that haven’t yet embraced proactive security.