AHA: Medical Device Makers Should Be Accountable for Cybersecurity
November 27, 2014 in News
On Friday, the American Hospital Association sent a letter to FDA encouraging the agency to continue to pursue efforts that will hold medical device manufacturers accountable for cybersecurity, Health IT Security reports.
The letter came in response to an FDA request for comments on collaborative approaches for medical device manufacturers and cybersecurity (Snell, Health IT Security, 11/24).
Background on Medical Device Cybersecurity Concerns
In October, news broke that the Department of Homeland Security is investigating possible vulnerabilities in about 24 devices.
According to sources familiar with the cases, the medical devices under review include:
- Hospira’s drug infusion pump;
- Medtronic’s implantable heart device; and
- St. Jude Medical’s implantable heart device.
However, officials said that there have been no documented instances of medical device hacking.
In the letter, AHA Senior Vice President of Public Policy Analysis and Development Linda Fishman wrote, “[M]edical devices have been identified as key vulnerabilities and high-risk areas for the security of hospitals’ overall information systems.” She added that the health care and public health sector “cannot successfully protect against cyber risk unless all parts of the sector actively manage risk” (EHR Intelligence, 11/24).
AHA said that FDA should encourage device manufacturers to take part in existing initiatives to share information on cybersecurity risk. Fishman lists several existing information-sharing activities, including:
- The Healthcare and Public Health Sector Coordinating Council;
- The Healthcare and Public Health Information Sharing and Analysis Center;
- The Health Information Trust Alliance;
- InfraGard; and
- The Industrial Control Systems Cyber Emergency Response Team.
She wrote, “These various public, private and joint forums allow participants to share the threats and vulnerabilities they observe, and learn how best to protect against emerging attacks” (AHA News, 11/21).
Fishman also applauded FDA’s recent guidance, adding that the agency should address manufacturers’ expectations for legacy devices because many devices are designed for long-term use and should be updated to accommodate new cybersecurity threats.
In addition, Fishman wrote that hospitals and other users of medical devices could benefit from device manufacturers including automated tools to track access or identify potential breaches.
However, AHA cautioned FDA to strike a balance in developing cybersecurity information sharing activities that do not affect current health security rules, such as those in HIPAA and HITECH (EHR Intelligence, 11/24).