Medical Device Makers Taking a New Approach to CybersecurityPhil Englert of H-ISAC on Tackling Evolving Security Challenges
New regulations, including those coming into effect in the U.S., are pushing many medical device makers to radically reconsider how they approach cybersecurity for their products, said Phil Englert of the Health Information Sharing and Analysis Center.
Under legislation signed into law last December, the Food and Drug Administration's recently enhanced authority over medical device cybersecurity is raising the bar on what the agency is requiring from manufacturers in the premarket of their products.
That includes submitting to the FDA details regarding a device's security controls, a plan for coordinated vulnerability disclosure and a software bill of materials. If the details are not sufficient, the FDA will automatically reject the product submission.
"The new regulatory authority that the FDA has been granted, new regulations that have been put into place in Europe that we see spreading across the globe, are going to force manufacturers to rethink how they engineer their devices, the components they select to put in them, so that they can be lower-cost to maintain but also more flexible to maintain," he said.
Englert expects some manufacturers will choose to disconnect "the device's clinical functionality from the interoperability - the connection to the outside world. That's an approach that some are taking, and that is a smart way to go."
Beginning Oct. 1, under its "refuse to accept" policy, the FDA will automatically reject medical device premarket submissions that don't include specific cybersecurity details required by the agency as spelled out under the new law.
In this video interview at the Information Security Media Group healthcare security summit in New York City, Englert also discussed:
- Top legacy medical device challenges;
- The most concerning cyberthreats involving medical devices;
- H-ISAC's information and cyber intelligence-sharing activities in the healthcare sector.
Englert has over 30 years of technical and operational leadership experience in healthcare and life sciences. Prior to joining H-ISAC, he served as chief product officer for MedSec, a cybersecurity consulting and services firm that focuses on hospitals and medical device manufacturers. He previously served as global leader for medical device cybersecurity at Deloitte, where he led client engagements developing medical device security programs.