The U.S. Food and Drug Administration last week took a step toward addressing the threat the Internet of Things poses to patients and their data by releasing some proposed guidelines for managing cybersecurity in medical devices.
"A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats," the FDA says in its proposal.
"The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits," the agency notes.
"Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health," it says.
The guidelines offer best practices for assessing, remediating and reporting cybersecurity vulnerabilities in medical devices.
Stakeholders have 90 days to submit comments to the FDA on the proposed guidelines before they're finalized.
An IoT First
"The FDA is to be congratulated because this is the first time that somebody is acknowledging the risk associated with the Internet of Things," said Torsten George, vice president for global marketing at RiskSense.
The agency is raising the security bar for medical device makers, said Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society.
"I think that provides some assurance for healthcare providers, but they need to scan their networks for vulnerabilities, too," she told TechNewsWorld. "The healthcare providers can't turn a blind eye to this either."
The guidelines are especially important because healthcare IT is very compliance-oriented, noted Chris Wysopal, CTO of Veracode.
"If a regulating authority doesn't have anything to say, organizations think they don't have to do anything because they don't take a risk-based approach, as financial service companies or manufacturers do when they try to protect their brand or intellectual property," he told TechNewsWorld.
Guidelines With Teeth
While the FDA's move is a good one, guidelines are only recommendations on how to behave. Medical device makers could ignore them without having to worry about punishment -- yet.
"There are no fines mentioned yet, but they could come," RiskSense's George told TechNewsWorld.
Competition also could play a role in nudging device makers to comply with the guidelines.
"There are so many medical devices out there and so much competition that a differentiating factor could become compliance with these guidelines," HIMSS's Kim said.
The guidelines could provide fodder for potential legal actions against device makers.
"The courts are being very stringent when it comes to cybersecurity. If you're not following best practices these days, the courts are leaning toward consumers and end users when making their judgments," George noted.
"There's the potential that some attorneys looking at this would use these guidelines to establish negligence in a civil case," Kim said. "That legal pressure could be a motivator for medical device manufacturers to shore up their security practices."
More Concern Over App Flaws
Healthcare IT execs don't seem to share the FDA's heightened concern over the risks medical devices pose to patients and their data, according to a survey released last week by Veracode and HIMSS.
The survey, which was part of Veracode's "State of Web and Mobile Application Security in Healthcare" report, found that only 7 percent of the 200 participating healthcare IT execs placed the insecurity of IoT devices -- such as medical devices, POS devices, printers and building automation -- on their list of top security threats.
What most concerned the execs was cyberattackers exploiting vulnerabilities in applications (28 percent), followed by phishing attacks on employees, negligent employees and malicious insiders (26 percent).
Fears over application vulnerabilities are being raised with good reason.
"Data from actual code-level analysis of billions of lines of code conducted by Veracode shows that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment. Given the large amount of sensitive data collected by healthcare organizations, this is quite concerning," the report notes.
"In addition, healthcare fares worse than the vast majority of other industries when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated," it continued.
Healthcare organizations should test the medical devices they use and hold vendors accountable for security gaps, the report recommends.
"Many medical devices, including MRI scanners, X-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients," the report notes.