The truth likely lies somewhere between the two, but it is important to note that disclosures indicate an active product security function. There are still many device manufacturers that have yet to disclose a single vulnerability, despite having the same vulnerabilities others have already disclosed. We applaud those device vendors that are actively engaged in the ecosystem! And anticipate that once the FDA Premarket Cybersecurity Guidance (October 2018) is finalized (anticipated in 2021), disclosures will increase another 4x.
Path forward
We need laws that incentivize the builders of technology, not the consumer. We also need technology components that are secure by design as well as easily implementable and maintained.
The healthcare industry has made tremendous progress and that must be acknowledged. The issuance of multiple guidance documents from international regulatory bodies and industry leaders, and the voluntary engagement by device vendors and security researchers at the DefCon Biohacking Village, are signs that times are changing. Collaboration between MDMs and external stakeholders such as DHS and security researchers, demonstrates a shift in culture in which sharing and discussing vulnerabilities is not something to conceal, but a sign of maturity and something to encourage.
Healthcare companies are challenged with determining how to continue to innovate and deliver clinical therapies, but doing so while being secure. Until now, the burden has relied heavily on healthcare delivery organizations to ensure devices are operating in a secure environment. Going forward, relying on network security as a primary defense is both impractical for devices operating out of the field, and insufficient for those that remain inside the hospital.
Developing a proactive strategy to ensure security is designed into a device from the inception of the product development lifecycle is the best bet we have at moving the need to ensure patient safety through medical device cybersecurity.
About the author: Seth Carmody is the Vice President of Regulatory Strategy at MedCrypt. Prior to MedCrypt, Carmody worked as the cybersecurity program manager in the Office of the Center Director, Emergency Preparedness/Operations & Medical Countermeasures, within the U.S. Food and Drug Administration (FDA)'s Center for Devices and Radiological Health (CDRH).Back to HCB News
