Industry stakeholders are asking Congress for financial support, guidance and FDA standards to shore up medical device security flaw, in response to a House Energy and Commerce Committee RFI.
The 300 pages of comments from various industry groups covered a wide range of issues, from the cost of shoring up medical device security to confusion surrounding FDA guidance on post-market cybersecurity.
To start, the American Hospital Association outlined the steps hospitals are taking to bolster cybersecurity. However, those efforts are hampered by the vulnerabilities posed by medical devices running on legacy systems — often a key entry point for hackers to gain access to a network.
While the risk of medical devices has long been hypothesized, a recent study from the University of California found that when these hacks occur providers often don’t even know it. And although patching is crucial to keeping hackers out, doing so can hinder the function of the device.
What’s more, simply updating the legacy technology isn’t an option.
“Replacing these technologies is not financially feasible, with many hospitals only able to replace about 10 percent of devices in a given year,” AHA officials wrote.
In its comments, the American Alliance of Orthopaedic Executives estimated that the cost of cybersecurity upkeep was about $60,789 per practice. The group suggested that those costs could be reduced with federal assistance, which would include incentivizing adherence to security policy updates.
AAOE suggested that assistance could come in the form of tax breaks, an added expense component to Medicare reimbursements or “the creation of a ‘cybersecurity’ relative unit” tied to Medicare reimbursements to cover data security.
Meanwhile, AHA officials also commented that a single source of information around device security, coordinated disclosures and timely patches could help hospitals manage the vast number of device manufacturers on their systems — which could be coordinated by the Food and Drug Administration.
The Advanced Medical Technology Association also supported the FDA coordinating medical device vulnerabilities, calling device security a “shared responsibility” between manufacturers, providers and regulators.
The FDA must also go beyond pre-and post-market guidance and make security mandatory for legacy devices, as there’s no financial incentive to do so and the issues have yet to be resolved, AHA officials argued.
“Unfortunately, the healthcare sector, including the device sector, continues to be confused as to whether FDA guidance on post-market cybersecurity is binding,” AHA officials wrote. The FDA must create expectations for manufacturers to build security into products, provide security tools to end-users and update and patch as new threat intelligence becomes available.
Healthcare organizations also need to set up a process to both monitor and report cybersecurity threats and security events, including medical device and other IT events, to the FDA and research groups like the ECRI Institute, according to comments from ECRI.
ECRI officials added that organizations need to fold their medical device security plan into their full security policies, including risk assessments, reliable safeguards and a mitigation plan in case of a security event.
But Trinity Health officials focused regulating manufacturers, recommending the FDA require manufacturers to implement secure device configurations with a recognized standard. Further, the FDA must instate a fast-tracking process for system upgrades.
“The manufacturer needs a way to get approval for new versions of the operating system software quickly,” providing the update doesn’t affect device functionality, Trinity Health officials wrote. The FDA also needs to create a central repository of all device patches.
“Medical device security is critical for the operation of healthcare networks, as well as patient safety,” Trinity Health officials added. “Neither the manufacturer nor the [organization] can accomplish the goal of a secure medical device eco-system on their own. It is imperative that there is a collaborative effort to reach and maintain a secure medical device environment.”