How Cybersecurity Regulations for Medical Devices Is About to Change
JAN 14, 2018 00:32 AM
A+ A A-

How Cybersecurity Regulations for Medical Devices Is About to Change

by Larry Alton
2017 has been an eye-opening year for the state of cybersecurity. The WannaCry ransomware attack, affecting more than 300,000 computers and exploiting billions of dollars, showed us how vulnerable our personal devices can be. The Equifax data breach, which compromised 143 million records, showed us that even our most trusted institutions are vulnerable. 
With the increasing sophistication and availability of medical devices, cybersecurity is becoming an especially important concern for the healthcare industry. But why is it that medical devices are so vulnerable, and should we be doing more to regulate their development and ongoing management?
Why Medical Devices Are So Vulnerable 
Medical devices are vulnerable during their development, deployment, and through the end of their lifecycle. But why are medical devices so vulnerable to attacks in the first place? 
  • Patient health. If your computer is compromised by a cyberattack, you might lose access to your personal files, or even your personal data. If your medical device is compromised, you could be injured, or even killed. These devices are tied to your personal health, and are therefore more valuable and more vulnerable. That heightens their priority level for cybersecurity experts. 
  • Increasing prevalence. The popularity and availability of high-tech medical devices have also increased. More sophisticated types of technology are in circulation, and more patients are depending on those devices for their health, or even their survival. With hospitals transitioning to the digital age, this presents cybercriminals with thousands to millions of potential targets, and every new device could represent another opportunity. The fact that many devices are often interconnected in a single network makes the opportunity even more appealing. 
  • Value. Finally, we have to consider the value of hacking into a medical device. Because they’re tied to patient health, people will be willing to pay more to protect or release them. Because they’re usually loaded with sensitive, personal data, they represent an opportunity for identity theft.
FDA Guidelines
Fortunately, the FDA has taken an active role in trying to improve the cybersecurity of medical devices. The organization acknowledges openly that all devices are going to have some degree of risk, but has a central goal of mitigating that risk as much as possible, working with manufacturers, engineers, hospitals, and facilities to improve patient safety.
While the FDA doesn’t have any formal pre-market testing, they do have an extensive list of guidelines for manufacturers to follow, originally released in 2016. Most of these are intended to persuade both manufacturers and healthcare facilities to be proactive in identifying risks, take measures to limit those risks, and educate patients about those risks so they can make more informed decisions.
The FDA is making new efforts in this area as well:
  • In October 2016, the FDA partnered with the National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS). Together, the three organizations are sharing data, establishing pathways to recognize and address cybersecurity threats, and produce a framework to assess risks. 
  • In May 2017, the FDA partnered with the National Science Foundation (NSF) and Department of Homeland Security, Science and Technology (DHS, S&T) on a public workshop, titled Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis. Working with stakeholders directly, the workshop was designed to look for new opportunities for FDA research and intervention, and identify the biggest challenges facing medical device cybersecurity. 
Future Developments
So what does the future hold for medical device regulation? That depends on a few different factors. The FDA has limited power for intervention, and therefore prioritizes making recommendations to manufacturers, who then have the power to take action.
Hospitals and healthcare professionals have a strong say in which devices they integrate into their practice, meaning they have the buying power that could persuade manufacturers to have higher or lower security standards. And of course, the emergence of new, specific cyber threats could also push development in a specific direction.
Ultimately, the future of medical device security is going to depend on market demand, and push factors accelerating its development. It’s a major hurdle that needs to be addressed, but remains indefinite as we continue making advancements. 
[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment:

Computing Now Blogs
Business Intelligence
by Keith Peterson
Cloud Computing
A Cloud Blog: by Irena Bojanova
The Clear Cloud: by STC Cloud Computing
Computing Careers: by Lori Cameron
Display Technologies
Enterprise Solutions
Enterprise Thinking: by Josh Greenbaum
Healthcare Technologies
The Doctor Is In: Dr. Keith W. Vrbicky
Heterogeneous Systems
Hot Topics
NealNotes: by Neal Leavitt
Industry Trends
The Robotics Report: by Jeff Debrosse
Internet Of Things
Sensing IoT: by Irena Bojanova