As the benefits of software become increasingly present to healthcare systems, its risks do too. While software can increase the efficiency and effectiveness of healthcare, it can also create greater vulnerabilities. The medical device industry in particular has had to face cyber-security issues. The FDA has been criticized as struggling to keep up with the scope of the growing and rapidly changing industry.
On January the 15th 2016, the FDA released a draft guidance. The document suggested important measures medical device companies should take to ensure patient protection from cyber-security risks. Cyber-security is a difficult issue to tackle because of its developing nature. While companies must design products to prevent attacks, they must also maintain this protection by continual updates. The FDA’s draft guidance recommends post-market protocols for medical device manufacturers such as increased sharing of information via the Information Sharing Analysis Organization (ISAO) network. It also highlights monitoring information sources and improving device recall. All of these measures aim to further understand the impact and presence of cyber-security vulnerabilities.
The healthcare industry is the top target among all industries to cyber-attacks. Medical devices, especially those using legacy operating systems, are the most vulnerable to attackers within healthcare. The attacks are advanced and persistent. Hackers can hold patient systems randoms or threaten to make patient information public. In a complex system involving so many parties as well as different devices working together, health companies and providers struggle to ensure high medical device companies security hygiene.
Firstly, medical device companies must endeavor to comply with the FDA’s regulations on software design requirements. While products may function as different roles, compatibility among them is necessary. This makes the task yet more difficult. Secondly, healthcare organizations need to implement strategies that allow for the updating of their existing medical devices. This means better management of medical device life cycles, expiration date and access to the products after this date. Lastly, technology detecting attacks within the network rather than just at its perimeter must be further developed.
The Institute for Critical Infrastructure Technology has called for stronger regulations from the FDA. Rather than suggestions from the FDA, guidelines should be regulatory. A strong regulatory presence within this sector is feared to stifle innovation. However, low cyber-security hygiene could massively diminish any progress made. Patient safety must take priority — does potentially stifling innovation run contrary to this?