AdvaMed responds to congressional cybersecurity inquiry

Dive Brief:

The medical device industry responded last week to a congressional inquiry into what steps the industry is taking to mitigate cybersecurity threats to medical devices.
Sen. Mark Warner, D-Va., who sits on the Senate Finance and Intelligence Committees, asked on Feb. 21 for information to inform the development of "a national strategy that improves the safety, resilience, and security of our health care industry."
AdvaMed outlined five areas of focus to improve device cybersecurity: ensuring cybersecurity and security risk management is built into a device during development; working with partners to coordinate strategies to tackle cybersecurity; implementing coordinated vulnerability disclosure policies; ensuring industry participates and shares information about threats and vulnerabilities with each other and government; and adopting consensus standards, regulations and education opportunities.

Dive Insight:

Earlier this month AdvaMed announced an effort to establish an Information Sharing and Analysis Organization during the first half of 2019.

The group, deemed the MedTech ISAO, will be only available to AdvaMed members to help build trust among participants, AdvaMed executives told reporters on a press call.

"ISAOs allow communities of interest to share cybersecurity-related information with each other and can provide timely cybersecurity information otherwise unavailable to a specific company that might prevent, or at least identify, compromises, reveal potential vulnerabilities, and promote useful system modifications, threat reduction, and cost savings," Zachary Rothstein, AdvaMed vice president of technology & regulatory affairs wrote to Warner.

Interestingly, Rothstein cites FDA’s cybersecurity guidance issued on Dec. 28, 2016, as evidence the industry and FDA are working to better manage device cybersecurity in the postmarket setting.

"It is important to understand that these documents do not merely convey ‘guidance’ that a manufacturer may choose to follow. Instead, these documents explain how FDA’s Quality System Regulation, 21 C.F.R. § 820 et seq., apply in the context of medical device cybersecurity," Rothstein wrote.

AdvaMed also pointed to a litany of partnerships designed to mitigate cybersecurity risks, including work with the Health and Healthcare Sector Cybersecurity Coordinating Council, Joint Cybersecurity Working Group, U.S. National Telecommunications Industry Association, Medical Device Innovation Consortium, Healthcare Information Sharing and Analysis Center, Department of Homeland Security’s National Cybersecurity and Communications Integration Center and International Medical Device Regulators Forum.

But the letter may not satisfy Warner, who asked for specific information on how many devices rely on "beyond end-of-life software and operating systems," personnel challenges AdvaMed faces and recommendations on specific federal laws or regulations to consider changing.