Over the past few years, the FDA has paid steadily more attention to potential cybersecurity holes created by medical devices. Now, health IT leaders are beginning to engage more fully in what is becoming a two-way discussion.
Without a doubt, the conversation is badly needed. According to a study published last year by research firm Frost & Sullivan, hospitals have begun to focus on fostering interoperability between medical devices and EHRs, and that often includes devices with questionable security protections in place.
Those hospitals include members of CHIME, which serves chief information officers and other senior health IT leaders. Drawing on its experience, CHIME recently offered feedback to the FDA on managing the process of approving cybersecurity provisions in medical devices.
In a recent letter to the agency, CHIME laid out five concerns regarding what the FDA should consider when analyzing medical device cybersecurity:
- That medical devices are part of an ecosystem which includes but is not limited to networks, switches, firewalls, applications and other components, and that both device makers and the agency should bear the entirety of this ecosystem in mind when planning for cybersecurity.
- That the agency should make more explicit the steps manufacturers must meet to protect patient safety, and possibly establish a certification process similar to that in place for EHRs.
- That the FDA’s pre-market guidance for medical device manufacturers should explicitly reference voluntary guidelines developed by HHS in cooperation with the industry, including the Medical Device and Health IT Joint Security Plan and Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.
- That when authenticating and checking authorization of safety-critical commands, user authentication be required before permitting software or firmware updates, including those affecting the operating system, applications, and security controls.
- That the agency should create a new definition for patient safety which distinguishes it from patient harm, and that information risks such as privacy violations deserve their own category.
It’s good to see the FDA engaging in a dialogue is provider organization leaders, as from what I’ve seen in the past most discussions have remained largely between the manufacturers and the agency. We need more of these discussions that lead to needed changes.
Also, I have to say that a couple of these suggestions look good on their face. For example, you don’t need a Ph.D. in cybersecurity to know that making it a bit harder for outsiders to execute malicious software updates Is probably wise. I’m also intrigued by the idea of making device makers meet a cybersecurity standard, though recent challenges to some EHR vendors’ certifications do raise questions about this approach.
All told, I’d argue that this kind of FDA-health IT leader conversation needs to continue for the foreseeable future. As I see it, the FDA is already behind.