Why the FDA’s new cybersecurity guidelines could save your life (and save healthcare millions)
During my annual medical exam this week, it struck me how many of the devices used to measure our health today are networked and automated. Blood pressure devices. Scales. CT scanners and X-rays. Even sensors on pill bottles, prosthetics, and portable personal devices like pacemakers have their operations digitized, analyzed, visualized, tracked, shared and stored via wired, wireless or cellular networks.
Surprisingly, there are no government regulations or protections -- and punishments for non-compliance – when it comes to securing medical devices and Internet of Things (IoT)devices from cyber attack or data loss. That is soon to change.
Last week, the US Food and Drug Administration took the first regulation steps by releasing draft guidelines concerning cybersecurity and medical devices.
"A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats," the FDA says in its proposal.
For all of us, there are four provisions in the proposed guidelines that we should know:
1) Use & Maintenance
"The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits," the FDA notes. At minimum, the FDA recommends healthcare organizations test the medical devices they use. They should also implement best practices and vendor recommendations for upgrades, patches and use -- and hold vendors accountable for security gaps.
2) Data and Privacy
This year marks the 20th anniversary of HIPAA or the Health Insurance Portability and Accountability Act. At HIPAA’s core are provisions to protect personal information as it traverses the US healthcare system. HIPAA, however, has not kept pace with medical technologies. Unlike the Environmental Protection Agency’s (EPA) move to govern algorithms used to “make decisions," the proposed FDA guidelines don’t cover analytics and other mathematical formulas. The FDA does provide great provisions, however, for the sharing of data between universities, research and other health organizations -- data sharing that is critical to creating new treatments and medical breakthroughs.
Once issues are uncovered, quickly remediating or fixing the problem is crucial. The FDA notes that time to remediate is seen as a major risk to public health. Based on the fact that most data breaches remain unknown for 6 to 9 months, fixes can often be costly and misunderstood. One study shows that healthcare is an industry that needs better understanding and executive motivation as 43% of today's healthcare security vulnerabilitiesare unaddressed.
The number of reported breaches under HIPAA are staggering. It costs healthcare firms $1 million to over $2 million per breach. Human error or insider malice lead the pack and experts project that 9 our out of 10 HIPAA-mandated breach reports could have been avoided. The FDA’s proposal for similar reporting will directly impact providers and vendors alike.
Stakeholders now have 90 days to submit comments to the FDA on the proposed guidelines. Moving beyond guidelines to formal regulations with mandates with teeth seems logical and timely. The FDA's regulations should also cover wearables, like smart watches, that are used to measure fitness levels eligible for insurance discounts.
Since all of us have a stake in our own health, and thus the medical devices we use, what comments and suggestions would you give the FDA?