FDA's draft guidance on cybersecurity for medical device manufacturers too lax, ICIT report suggests

The Institute for Critical Infrastructure Technology's assessment of the Food and Drug Administration's January medical device cybersecurity guidelines has found them wanting, according to a recent report.

The guidelines, which include recommendations for addressing cybersecurity issues during the lifecycle of medical devices, are closer to subtle suggestions, rather than actionable regulatory enforcement, the authors of ICIT's report wrote. However, the recommended measures fall short in their consideration of the threats healthcare organizations face in today's industry.

"Due to the industry's continuous lack of cybersecurity hygiene, malicious EHR exfiltration and exploiting vulnerabilities in healthcare's [Internet of Things] attack surface continue to be a profitable priority target for hackers," the authors wrote.

The FDA's recommendations omit a number of important points for healthcare organizations to consider, including that being mindful of adopting better medical device cybersecurity practices not only protects the institution, but gives it an advantage over competitors.

"The cyber threat is real and bad actors are continuously evolving in both stealth and sophistication," the authors concluded. "Regardless of how medical device manufacturers and healthcare providers receive the guidelines, the FDA has clearly indicated that medical device cybersecurity is a priority. The healthcare community should note the gesture and take the initiative to assess their own networks and improve their cybersecurity."

More articles on health IT:

Hospital pays $17k to get medical records back from hackers

What hospitals can learn from Hollywood Presbyterian's ransomware run-in

Anonymous hacker suspected of Boston Children's Hospital 2014 cyberattack arrested

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.