The FDA and medical device makers are preparing for a glut of hacking attacks as more more connected devices and hospital networks emerge, according to a new report.
Electronic health records remain a favored target for hackers, with numbers of compromised records in the tens of millions, according to The Hill.
The FDA has warned of the increasing risk and is coordinating with other regulatory bodies and federal agencies to prepare for such attacks and create a plan for an organized response, according to the report.
“This is what we said to manufacturers; one should consider the environment a hostile environment, there are constant attempts at intrusion … and they have to be hardened,” FDA Center for Devices and Radiological Health strategic partnerships associate director Suzanne Schwartz told The Hill.
The Department of Health and Human Services is taking action to combat the looming threat, according to the report. Last year, the Office of the National Coordinator for Health Information technology gave $350,000 to the National Health Information Sharing and Analysis Center to help inform stakeholders and create a system where information on attacks and breaches would be shared between stakeholders.
But the federal agencies believe the issue could be significantly underreported, and that companies could hide such attacks for fear of harm to their brand reputation.
“Organizations are unlikely to report security incidents if not required to do so given the potential repetitional harm that might occur. The reports we read about are only a small fraction of the incidents that occur,” Merck & Company chief information security officer Terry Rice said.
And medical device makers will likely be on the hook for vulnerabilities that lead to attacks, according to the FDA. Guidance from the agency indicates that manufacturers are obligated to consider cybersecurity of their devices, according to Hall Render tech and cybersecurity lawyer Melissa Markey.
“Even though we would have all intuitively said, well yes medical device-makers obviously should make their devices safe from being hack, that FDA guidance removes any question, I think,” Market told The Hill.
Both the FDA and private medical device companies are preparing for attacks by increasing the number of cybersecurity experts on the payroll, according to the report. Many companies are adopting policies where researchers, or “white hat” hackers can report vulnerabilities to the company to avoid taking them public and risking the possibility of more attacks.
“You’re starting to see FDA hire software experts so that internally they have more capabilities to evaluate cyber security programs of these companies. The medical device industry, I would say in the last two-and-a-half years or so, has gone from general understanding of the issue, general participation to extreme awareness and participation in cybersecurity efforts,” Advanced Medical Technology Association associate VP Zach Rothstein told The Hill.