AHA Urges FDA Cybersecurity Oversight of Devicemakers

The recent ransomware attacks in the U.S. healthcare industry have highlighted the need for increased product security for medical devices, the American Hospital Association said in a letter to the FDA.

Representing nearly 5,000 healthcare organizations, the association called on the FDA to increase its oversight of the medical device industry and to ease the “substantial and unsustainable” regulatory burden on hospitals and health systems.

More FDA oversight is especially needed with regard to updating and patching devices as new threats emerge, as well as efforts to improve transparency and the dissemination of key information regarding device software during cyberattacks, AHA said.

The association pointed to the upwards 200,000 computers across more than 150 countries that were victims of the WannaCry ransomware attack earlier this year.

Ransom payments were demanded to restore the attacked systems, the AHA noted, and the healthcare sector was a prime target because of the nature of the services provided. “Medical devices with embedded, outdated software likely were the vector,” it said.

Some of its members reported that many devicemakers were slow to provide needed information about the products they use, such as the existence of cyber vulnerabilities, and the availability of device patches, during the WannaCry attack. The steps the devicemakers recommended to mitigate the impact of the attack, including taking a device off-line, were expensive, operational or affected patient care, according to the AHA.

In addition to recommending more FDA oversight of manufactures’ device security efforts, the AHA recommended that the agency “proactively set clear measurable expectations” for devicemakers before cyberattacks occur as well as play a more active role during cybersecurity attacks. The role could include issuing FDA guidance to devicemakers on the “expectations for supporting their customers to secure their products.”

As the healthcare system continues to be plagued by cyberattacks, new legislative efforts are underway to tackle the issue. Reps. Dave Trott (R-Mich.) and Susan Brooks (R-Ind.) introduced a bill mid-October targeting the country’s cybersecurity vulnerabilities in connected medical devices.

The Internet of Medical Things Resilience Partnership Act calls for the FDA and the National Institute of Standards and Technology to form a public-private partnership that would be charged with developing standards, guidelines, frameworks and best practices to enhance the country’s healthcare cybersecurity (IDDM, Oct. 16).

Last month, the House Energy and Commerce Committee set a Dec. 15 deadline for the Department of Health and Human Services to develop an action plan for creating “bills of materials” aimed at curtailing cybercrime. Each component of a medical technology would need to have its own BOM, as first recommended in a 2017 report from the HHS’ cybersecurity task force (IDDM, Nov. 27). — Ana Mulero