IT, security pros want FDA to ratchet up device cyber protection
CHIME, a professional association for chief information officers, and AEHiS, which represents chief information security officers, seek tighter control of medical devices for security purposes.
The organizations this week submitted comments to the Food and Drug Administration in response to the agency’s request last October for industry guidance on the content of premarket submissions for management of cybersecurity protections in medical devices.
The guidance is intended to provide recommendations to industry regarding cybersecurity device design, labeling and the documentation that the FDA recommends be included in premarket submissions for devices that have a cybersecurity risk.
Devices are part of an ecosystem, CHIME CEO Russell Branzell and AEHiS Chairman Sean Murphy told regulators in the joint comment letter.
“An infected device can serve as a beachhead for intruders intent of gaining entry to a healthcare provider’s network. Since devices are part of a larger healthcare technology ecosystem, it is important to recognize that patient safety threats being discussed extend well beyond medical devices, even if they originate there. Therefore, singling out medical devices without recognizing that there are networks, switches, firewalls, applications and other components that come with medical devices does not adequately capture the risks,” the letter states.
As such, FDA should add to its definitions list a line recognizing that medical devices are part of an ecosystem, the trade groups recommend.
CHIME and AEHiS also cautioned regulators of manufacturer perceptions of guidelines. “Many of our members continue to be confronted with some manufacturers who refuse to take action on known vulnerabilities, calling them controlled risks or saying they will wait until the FDA recalls a device.” Consequently, the trade groups recommend the agency make more explicit the steps a manufacturer must meet to ensure patient safety and to consider requiring manufacturers meet a certification standard.
In regards to legacy devices, the trade groups remind FDA that the devices may not have ongoing support from vendors that could affect entire information systems or components such as firmware, drivers, operating systems and other legacy applications in use. Every vendor and healthcare organization, CHIME and AEHiS contend, should be able to identify and classify legacy systems and develop approaches to mitigate risks.
Equally risky are obsolete operating systems, according to both trade groups. “Our members have estimated as many as 35 percent to 45 percent of devices within health systems are in the end of life stage with no ongoing support, and the number is likely higher in rural areas. The FDA recognizes the risks of end of life devices, CHIME and AEHiS acknowledge, however software should be considered part of the device, and thus embedded software should be more explicitly addressed by FDA.
Finally, Branzell and Murphy disagree with a notion that developers be the ones to decide whether a risk is controlled or uncontrolled. “We do not believe this self-policing is fruitful,” they contend. “In fact, providers are held to a much higher standard under OCR privacy rules around breaches and must prove protected health information has not been compromised in the case of a breach.”
The FDA’s complete guidance is available here.