There is a bit of irony here.
In a letter to the FDA on ways the agency could reduce regulatory burdens for U.S. hospitals, the American Hospital Association asked for more FDA oversight for someone else.
Specifically, cybersecurity oversight for companies that make medical devices. There are tens of thousands of these devices that make up the Internet of Medical Things.
"The FDA must provide greater oversight of medical device manufacturers with respect to the security of their products. Manufacturers must be held accountable to proactively minimize risk and continue updating and patching devices as new intelligence and threats emerge," the AHA says.
Part of the motivation for this request is the fallout from the WannaCry ransomware attack that locked up medical devices around the world. The AHA says member hospitals reported slow-or no-guidance on how to recover from the attack from device manufacturers. And it is time for that to change.
"We recommend that the FDA proactively set clear measurable expectations for manufacturers before incidents and play a more active role during cybersecurity attacks. This active role could include, for example, issuing guidance to manufacturers outlining the expectations for supporting their customers to secure their products."
Cybersecurity low priority for medical devices
Barry Caplin, former VP & CISO at Fairview Health Services, tells SecureWorld there's is one big reason medical devices manufacturers do not 'bake in' cybersecurity.
“Security is an afterthought because they’re not required to do it. There is no regulatory body saying, ‘you must do this.’ Now maybe it’s going to happen going forward, there is some pending legislation in the U.S. Senate, but I think we as consumers need to push back on this, so vendors will get religion around security,” Caplin says.
Cybersecurity becoming a matter of life and death
U.S. Bank CISO Jason Witty, a SecureWorld Advisory Council leader, says its time to move past the idea of cybersecurity and focus on cyber safety. “It’s not just about protecting your data anymore,” he told SecureWorld. “It’s also about making sure that whatever the physical manifestation is, something connected to you, the hospital you are in for care or the car you drive. It’s about the pacemaker that’s implanted in your chest and making sure these things are not going to actually kill you.”
Based on the American Hospital Association's letter to the FDA, the AHA and its 5,000 member hospitals must feel the same way.
