The Institute for Critical Infrastructure Technology says the FDA’s cybersecurity guidelines should have more teeth, arguing that devicemakers and healthcare providers have the ability to disregard the agency’s recommendations spelled out in draft guidance issued last month.
In a report issued last week, the nonpartisan think tank says that the FDA often seems to be making “subtle suggestions” to industry on cybersecurity, rather than enforcing strong standards. While some stakeholders have argued that strong standards could threaten innovation, the authors argue that a lack of “cybersecurity hygiene” can allow bad actors to access electronic health records and exploit vulnerabilities.
ICIT highlights draft guidance issued Jan. 15, in which the FDA outlines a voluntary framework organizations can use to ensure that their cybersecurity strategies address risks (). These recommendations build on NIST’s 2014 “Framework for Improving Critical Infrastructure Cybersecurity,” which resulted from an executive order calling for a standardized cybersecurity framework.
“The recommendations are not regulations,” the report notes. “Regulatory frameworks are difficult to develop and enforce because different organizations operate under different constraints.” Organizations can choose not to follow guidelines set out by the FDA.
Further, there is an antiquated notion among managers that reporting a vulnerability, exploit or breach will lead to a perception that the affected organization is weak or incompetent. “These decision makers fail to realize that the digital age has brought about a desire for transparency and an active information sharing community,” the report states.
The draft guidance is a good start for the discussion of cybersecurity within the FDA and medical devices and health IT, but there is obviously a long way to go, says James Scott, a senior fellow at the ICIT.
“I hope the FDA puts some type of framework for actual regulations, so there is an actual standard in the industry,” he tells IDDM.
The report urges stakeholders to petition the FDA in comments to the draft guidance to make the guidelines have regulatory teeth. Interested parties may comment on the draft document through April 21.