FDA, ECRI, device group keep up drumbeat on cybersecurity risks

Dive Brief:

FDA Commissioner Scott Gottlieb is cautioning that a potential cyber attack on medical devices connected to a network remains a persistent risk and said the agency is launching a cybersecurity playbook for healthcare providers, in coordination with Mitre Corporation.
ECRI Institute, a patient safety and medical device research organization, on the same day issued a report naming health technology cybersecurity as the top hazard facing the industry.
The Medical Device Innovation Consortium (MDIC), a public-private partnership, also came out with its own report encouraging adoption of coordinated vulnerability disclosure policies by device manufacturers to promote cybersecurity and patient safety.

Dive Insight:

Government agencies and organizations across the healthcare spectrum are sounding the alarm about the vulnerability of connected medical devices to cyber threats such as malware and unauthorized remote access that could result in patient harm.

FDA earlier this year released a Medical Device Safety Action Plan that calls for new authority to build security updates and patch capabilities into products at the design stage. Congress in April issued a request for information on how to improve cybersecurity in the medical device sector, noting that older "legacy" technologies may be more vulnerable to security threats than their modern counterparts.

The efforts are part of a response to the 2017 global ransomware attack dubbed WannaCry that froze computers at hospitals across the United Kingdom and disrupted businesses in more than 100 countries. Hundreds of thousands of devices were infected, according to the House Energy and Commerce Committee.

FDA stressed in its latest statement that it is unaware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device in use by a patient. But the risk of such an attack persists, the agency said.

To address the problem, FDA in the coming months will publish a "significant update" to its 2014 premarket guidance for manufacturing issues that should be considered in the design and development of medical devices to ensure products adequately address cybersecurity risks. The draft guidance will discuss providing users with a "cybersecurity bill of materials" that would list software and hardware components of a device that could be susceptible to vulnerabilities, FDA said.

The agency also said its new playbook describes readiness activities that will help healthcare organizations better respond to a medical device cybersecurity incident, and it announced the creation of forums called information sharing analysis organizations for manufacturers to address issues.

ECRI placed cybersecurity on top of its annual list of health technology hazards after publishing 50 alerts and problem reports related to cyber risks in the last 18 months. The group called this a major increase over the prior period.

Meanwhile, MDIC said its report is intended to help industry better understand barriers impeding adoption of coordinated cybersecurity vulnerability disclosure policies and processes.