What if hackers caused medical devices to malfunction? Disrupted healthcare services? Accessed patient information or electronic health record data? Those are examples of potential digital security pitfalls for the healthcare industry. Here's a piece I wrote for the National Law Journal about the need to develop industry standards for cybersecurity for medical devices and other health information technology:
A cybersecurity framework for medical devices and health-care technology needs to be developed in a partnership between the government, manufacturers and health-care providers, officials from across the public and private sectors during a workshop convened by the U.S. Food and Drug Administration.
“Right now, for cybersecurity, we’re all in a reactive mode,” said Deborah Kobza, executive director of the National Healthcare Information Sharing and Analysis Center. “We need to change that to be in a preventive mode.”
The concern is that hackers could cause medical devices to malfunction, disrupt health-care services or steal patient information and electronic health records. The FDA, along with the Department of Health and Human Services and the Department of Homeland Security, sponsored the two-day workshop this week.
The Advanced Medical Technology Association’s Jeffrey Secunda said that, “for devices that are facing the Internet, you do have the risk of advanced persistent threats.”
How the FDA is going to approach cybersecurity, including evidence that devices have led to patient harm, “is exactly why we’re convening this meeting,” said Suzanne Schwartz, director of the FDA’s emergency preparedness/operations and medical countermeasures in the Center for Devices and Radiological Health.
Workshop participants said they were unsure how much tolerance there is for the risk that patients information could be breached in the effort to make electronic health records and health information technology “interoperable” and more accessible to patients.
Dr. William Maisel, the FDA’s chief scientist and deputy center director for science at CDRH, said there are 100,000 medical devices on the market and the technology changes rapidly. The FDA doesn’t view it as a solution to take in all the information about digital security vulnerabilities in medical devices and pass it on to the community, he said.
Instead, federal regulators want an “ecosystem where that information is being shared,” such safe harbors for medical device manufacturers and health-care providers to make reports about cybersecurity breaches without incurring liability, he said.
Participants said that providers don’t report digital security breaches for fear or exposure during litigation.
The National Healthcare Information Sharing and Analysis Center’s Kobza noted that her group has entered a memorandum of understanding with the FDA to develop a protocol about sharing information about medical devices.