Despite the growing attention medical device security has been getting from regulators in recent years, only about half of manufacturers say they follow federal guidance for addressing cybersecurity risk, says security expert Mike Ahmadi.
Some 51 percent of the 242 medical device makers who participated in a survey conducted this spring by research firm Ponemon Institute say they adhere to guidance from the Food and Drug Administration to mitigate or reduce inherent security risks in medical devices, says Ahmadi, global director of critical systems security for Synopsys Software Integrity Group, which sponsored the survey.
And of the 262 healthcare delivery organizations that participated in the research, only 44 percent said they follow the FDA's guidance for mitigating and reducing security risks in the use of those products.
"That's a shockingly low number for a regulated industry," he says in an interview with Information Security Media Group analyzing the survey's findings.
Lack of Enforcement
"The problem with guidance is that it's 'guidance,' which means really that it's optional," he says. "The FDA claims it can enforce it, but the truth is that the FDA doesn't enforce it. And that's the problem we have today."
In December, the FDA issued final guidance for how medical device manufacturers should help maintain the cybersecurity of network-connected devices once they are in use. That nonbinding guidance for managing postmarket cybersecurity was a companion to guidance the FDA issued in 2014 that focuses on premarket security steps manufacturers should take before they start selling a device.
In a statement provided to ISMG, the FDA says it generally does not comment on specific studies, "but evaluates them as part of the body of evidence to further our understanding about a particular issue and assist in our mission to protect public health. The FDA is carefully reviewing the findings of the report. The FDA takes medical device cybersecurity seriously , and we look forward to engaging directly with the sponsor of the report so we can have a better understanding of the report's data, methodologies of information collection and conclusions."
The FDA also notes: "Medical device manufacturers must comply with federal regulations. Part of those regulations, called quality system regulations, require that medical device manufacturers address all risks, including cybersecurity risk. The FDA has issued pre- and post- market cybersecurity guidances to provide recommendations for manufacturers to meet QSRs. These guidances represent the agency's current thinking on this topic. Among other things, these guidances reflect the FDA's current interpretation of its existing regulations. Manufacturers may choose to follow the recommendations in these guidances, or they may choose other methods of managing cybersecurity in their devices, so long as they comply with the requirements outlined in the QSR and all other applicable FDA laws and regulations."
In the interview, Ahmadi also discusses:
- The percentage of medical device makers and healthcare organizations that admit to being aware of patients experiencing adverse events or harm due to an insecure medical device;
- Why healthcare organizations should avoid buying medical devices that run legacy operating systems, such as Windows XP;
- The low number of organizations that say they test their medical devices for security vulnerabilities.
Ahmadi is the global director of critical systems security for Synopsys Software Integrity Group, with expertise in the field of critical infrastructure security, including industrial control systems and healthcare systems. He worked closely with the FDA in assisting with developing their cybersecurity testing capabilities. Ahmadi also serves on the technical steering committee for the ISA Security Compliance Institute and as chairman of the TEVEES18A1 Cybersecurity Assurance Testing Task Force under the Society for Automotive Engineering.