The FDA's draft of cybersecurity guidelines for medical devices does not go far enough in its recommendations for a framework for protecting devices from future attacks, a new report says.
The report, from the Institute for Critical Infrastructure Technology (ICIT), says the FDA is failing to offer options for "regulatory enforcement" that would assure security standards and measures are adopted in the manufacturing of medical devices.
"In practically all matters of cybersecurity within the health sector, the FDA seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed," the ICIT report said.
The authors of the ICIT report, James Scott, Sr. Fellow at the ICIT, a group that advises decision makers on technology and cybersecurity trends in government and healthcare, and Drew Spaniel, Visiting Scholar, Carnegie Mellon University, said that the argument for tough cybersecurity standards typically is undermined by the notion that a regulatory presence stifles innovation.
But current practices are failing to stop the continuous stream of high-profile healthcare hacks. "Due to the industry's continuous lack of cybersecurity hygiene, malicious EHR exfiltration and exploiting vulnerabilities in healthcare's IoT attack surface continue to be a profitable priority target for hackers," the authors wrote.
Via Pharma Guy, Antoine POIGNANT, MD, Philippe Marchal, Lionel Reichardt / le Pharmageek