World Report
Stronger rules needed for medical device cybersecurity
TEK IMAGE/Science Photo Library/Corbis
Experts say that health systems in the USA and other countries are not prepared for cybersecurity threats and existing and draft regulations are weak. Brian Owens reports.
For the FDA draft guidelines see http://www.fda.gov/downloads/ MedicalDevices/ DeviceRegulationandGuidance/ GuidanceDocuments/ UCM482022.pdf
1364
The US Food and Drug Administration’s (FDA) latest draft guidelines for postmarket management of cybersecurity risks in medical devices are a good start, but need to be given greater force to ensure the health-care sector starts taking cybersecurity more seriously, according to cybersecurity experts. The draft guidelines issued earlier this year are based on the critical infrastructure cybersecurity framework developed in 2014 by the National Institute of Standards and Technology (NIST), adapted with specific recommendations for medical devices and systems. They encourage device manufacturers to continue to proactively plan for, monitor, and respond to potential cybersecurity vulnerabilities in medical devices after they have been released for sale, and to share information about known problems. “Surveillance for device vulnerabilities is not something that has been active to date”, says Suzanne Schwartz, acting director of emergency preparedness and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “There were no rules or framework for what the expectations are when vulnerabilities occur.” But James Scott, senior fellow at the Institute for Critical Infrastructure Technology, a think tank based in Washington, DC, USA, is worried that the guidelines will not be taken seriously without the full force of mandatory regulations behind them. “There is no undertone that this is going to be anything other than suggestions, it’s kind of like a friendly reminder”, he says. The content of the guidelines is good, he says, they just need some kind of regulatory audit to force companies to follow the bare minimum of good cybersecurity practices. “If you look at how hospitals and health care is a critical
infrastructure, they’re supposed to be following these guidelines anyway”, he says. “If they were going to follow them, they would have done it in 2014 when the NIST framework came out.” That softer touch was by design, says Schwartz. “We don’t want to be highly prescriptive, but instead point to standards and provide a way to approach the issue”, she says. And she points out that although the guidelines themselves do not have the force of regulations, they do fall under the agency’s Quality System Regulation, which manufacturers are required to follow.
“...the health sector is lagging behind on cybersecurity, putting patients’ data, and lives, at risk.” Health-care systems face the same cybersecurity problems as other computer systems, but with potentially much worse consequences, says Erik Vollebregt, a lawyer who specialises in medical technology. It is becoming commonplace for every medical device, from digital thermometers, to MRI machines, to pacemakers, to be connected to the internet and to each other, allowing for remote software updates and collection of patients’ data. But the health sector is lagging behind on cybersecurity, putting patients’ data, and lives, at risk. “Hospitals are abysmally bad at network security. Often all their devices will be on the same network, with no partitions or firewalls”, says Vollebregt. “They need to do lots of work to fix it.” The health-care sector is coming late to the game of cybersecurity, agrees Schwartz. “As an entire critical infrastructure sector, we are behind finance and some of the other sectors”, she says. This is mainly because, so far,
the health-care system hasn’t been a major target for hackers. “A sector matures as a result of being hurt a few times”, says Schwartz. “The finance sector was hit well before public health, and has learned how to deal with it.” But that is starting to change. In February, 2016, the Hollywood Presbyterian Medical Center, CA, USA, paid hackers US$17 000 to regain access of the hospital’s computers after a “ransomware” virus locked doctors out of the system. Both Scott and Vollebregt say it is only a matter of time before situations previously confined to the realm of fiction—such as a hacker gaining control of wireless pacemakers or insulin pumps— become a plausible danger. This growing threat is the reason that regulatory bodies are moving quickly to boost cyber defences. And even if the FDA guidelines seem lacking in force, they are preferable to the patchwork quilt of regulations in the European Union, says Vollebregt, where various overlapping rules touch on medical devices or cybersecurity, but a single clear guidance is absent. “Lots of indirect regulations exist or are being developed in Europe, but nothing similar to the FDA guidelines”, he says. He thinks European regulators should adopt the FDA rules. “Most of the devices are on the market in both jurisdictions, so it makes sense to have the same rules”, he says. “IT is the same everywhere.” The FDA is accepting comments on the draft guidelines until April 21, and Scott hopes that the final version will strengthen the rules. “It’s good that they started this conversation around cybersecurity”, he says. “Hopefully in April we will get something we can really sink our teeth into.”
Brian Owens www.thelancet.com Vol 387 April 2, 2016