‘Underfunded’ FDA falls short in ensuring medical devices protect against cyberattacks, experts say
As the risk of cyberattacks on medical devices continues to mount, the Food and Drug Administration isn’t doing enough to ensure device makers include adequate security in their products, experts say.
They charge that part of the problem is that the agency lacks the funds and the trained personnel to evaluate the cyber risk the devices carry and enforce the rules it does have on the books for approving devices.
“I’ve spoken to device manufacturers, specifically product security people at device manufacturers, saying that they’ve been telling their organizations for the last year or two that they need to include cybersecurity as part of their submissions or else they’re going to get rejected,” said Mike Kijewski, CEO of medical device cybersecurity firm MedCrypt. “Yet for some of their recent submissions, they didn’t have a lot of cybersecurity documentation and they still got accepted by the FDA.”
Cyberattacks remain a significant risk for healthcare companies. US patient safety group ECRI reported 173 medical device cybersecurity alerts in the past five years. The organisation warned that cybersecurity incidents don’t just disrupt business operations, but can “pose a real threat of physical harm.” For instance, ransomware attacks on hospitals can cause device outages that disrupt patient care, and at worst, put lives at risk.
Source: MedTech Dive, 11 August 2022