Health Law Daily IT industry calls for stronger FDA stance on device cybersecurity
Friday, February 19, 2016

IT industry calls for stronger FDA stance on device cybersecurity

By Kayla R. Bryant, J.D.

The FDA’s “subtle suggestions” for medical device manufacturers related to cybersecurity are not enough for those at the Institute for Critical Infrastructure Technology (ICIT). ICIT affiliates expressed their concerns in a blog and called for regulatory enforcement, which they believe is necessary to resolve vulnerabilities and defend against hackers. The authors reviewed an agency January 2016 draft guidance, which created a framework for manufacturers but contained non-binding recommendations (see FDA provides guidance on addressing cybersecurity threats to medical devices, January 22, 2016).

Guidelines vs. regulations. ICIT admits that regulations are difficult to develop because of the differing constraints surrounding various organizations and agencies. When regulations are implemented, they are often not equal to the threat because they are designed around the “maximum capability of the weakest organization.” Guidelines, however, can be followed as far as possible but adapted to the capabilities of a company or device. The authors emphasize that the freedom surrounding the guidelines should not result in patient harm because manufacturers decide to disregard best practices. Previous communications from the agency have undergone similar attacks from other sources, deemed “watered down” and “wishy-washy.”

Guidance. The FDA stressed that manufacturers should keep an eye on vulnerabilities throughout the device’s lifecycle in light of evolving cybersecurity threats. ICIT noted that health information is particularly valuable to hackers, but that because the guidance is not binding, no party can hold an organization for failure to comply with these up-to-date suggestions. If a breach occurs due to failure to secure data, harm to a company’s reputation is the largest source of liability. This can cause an organization to fail to report a breach, hurting the community as a whole. The FDA only requires reporting of extreme vulnerabilities and exploits that could result in serious harm or death, while actions to mitigate less-severe issues can be considered routine updates and do not need to be reported. ICIT urged the health care community to improve cybersecurity on their own initiative, reminding the industry that comments on the guidelines can be submitted until April 21, 2016.

Companies: Institute for Critical Infrastructure Technology

MainStory: TopStory NewsStory MDNews ConfidentialityNews HITNews MDeviceNews IdentityTheftNews SafetyNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Health Law Daily

Health Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More