FDA Medical Device Guidance
The Food and Drug Administration has released “long-awaited” guidelines on the cyber security of medical devices.
Obviously, this is a concern for health and life insurers, but it is also relevant to other areas of coverage, such as automobile or any insurance that pays medical claims.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, director of emergency preparedness at the FDA’s Center for Devices and Radiological Health, in an article in “USA Today” on the release of the guidelines.
“…many device manufacturers and software vendors only learn of vulnerabilities in their products after said products have been hacked.”
“It is important for medical device manufacturers to remain vigilant about cyber-security and to appropriately protect patients from those risks.”
Important indeed. One would think that such statements would be followed by some specific safety requirements, or at least by substantive recommendations.
Instead, the article noted, “The agency is recommending that manufacturers consider cyber security risks as they design and develop medical devices.”
And which particular risks might those be? It seems there is again no specificity.
Once having “considered” those risks, however, the FDA says companies should give the FDA information about the potential risks they found, as well as what controls they put in place to mitigate them.
While this is a nice idea, it ignores certain realities in the world of technology development in general and cyber security in particular.
First, many device manufacturers and software vendors only learn of vulnerabilities in their products after said products have been hacked.
Yes, it would be fair to say that manufacturers and vendors should do a better job of testing in order to ferret out potential problems, but it is also fair to say that the number of ways to crack a product’s code are many and that not all of those ways are likely to be anticipated.
And at some point in the product development process, the testing phase must come to an end — unless the vendor is oblivious to the possibilities for profitably marketing a given product.
“Many devices are poorly secured and do not require a lot to hack. If there is sufficient incentive to do so, it will happen, causing harm to patients,” said Shel Sharma, director of product marketing for Cyphort, a threat-detection company, in the published piece.
But why would anyone want to hack into a medical device, implanted or otherwise? One obvious reason might indeed be to do harm to that individual. If an implant suddenly overheats and loses functionality, who is to say it wasn’t an accident, as opposed to attempted murder?
More ominous, however, is the idea that devices of various kinds must, by design, interface with broader medical systems that contain much more data — including confidential data on health and things like Social Security numbers. It might also be that a compromised device would provide a gateway to an entire enterprise, allowing for mischief and significant data loss, and the liability that would accompany same.
And liability is precisely the point for insurers of nearly any stripe. Of course, this whole risk scenario may represent a new area of insurance coverage to be marketed by our carriers.
Even in that case, however, insurers hardly want device makers to make things easy for criminals, because the carriers must then pay the claims. The FDA held a national workshop on medical devices and cyber security in October. Let’s hope the risks and the solutions that emerge from that gathering are more clearly defined.