The US Information Security and Privacy Board (ISPAB) voiced concerns over potential harms resulting from a lack of controlled management of cybersecurity in wireless medical devices in response to FDA’s draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” ISPAB operates under the National Institute of Standards and Technology (NIST) in its Computer Security Division, and its goals include identifying emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy.
ISPAB takes the position that software-controlled medical devices are increasingly at risk due to the lack of cybersecurity preparedness and that the diffusion of responsibility for resolving this issue among various federal agencies will not help resolve those concerns. That, together with an economic disincentive for entities to report vulnerabilities due to possible fines and related penalties, creates the potential for an undocumented threat to users of wireless medical devices.
ISPAB makes four main recommendations:
- a single governmental entity be assigned responsibility for taking medical device cybersecurity into account during pre-market clearance and approval of devices, and during post-market surveillance of cybersecurity threat indicators at time of use;
- the FDA collaborate with NIST to research cybersecurity features that could be enabled in wireless medical devices in Federal settings;
- establishment of training and education programs to inform users, health care organizations, and manufacturers about the risks associated with networked and wireless medical devices;
- United States Computer Emergency Readiness Team (US-CERT) create defined reporting categories for medical device cybersecurity incidents to coordinate and incentivize Government, providers, and manufacturers to collect cybersecurity threat indicators.
ISPAB argues that these steps will make the country prepared for what it believes to be an inevitable growth in wireless medical device cybersecurity incidents.