Device industry representatives discussed cybersecurity with lawmakers last week and offered some suggestions for how to improve it.
Michael McNeil, global product security and services officer at Philips, who spoke on behalf AdvaMed, told the House Energy and Commerce Committee security risks should be tackled via recognized standards and reference documents. He said the device industry is committed to developing a strong security framework that encompasses pre- and postmarket management of medical technologies.
Device cybersecurity is a “shared responsibility” among manufacturers, providers, and all other stakeholders in the healthcare community, he said. Engineers and other individuals outside device companies who discover vulnerabilities should have a way to let manufacturers and the FDA know about them, and manufacturers should “judiciously” share threat and vulnerability information, he said.
Terry Rice, vice president of IT risk management and chief information security officer at Merck, who serves on the board of the National Health Information Sharing and Analysis Center, said his group and other ISACs help the public and private sectors address cyber threats to the nation’s critical infrastructures.
Participation rates in ISACs are low, however, in part because companies are wary of disclosing confidential information. Rice said participation in ISACs could be encouraged through tax breaks and by appointing a cybersecurity specialist at the Department of Health and Human Services to act as a single point of contact for industry.