The biggest problem in combating medical device cyber-attacks is not technological, it is the secretive reaction of med device companies when confronted with evidence that their devices can be hacked, leading to a refusal to disclose any information about the hacking incidents.
At the Thursday, October 1st conference organized by MassMEDIC (the Massachusetts organization of medical device companies), Suzanne Schwartz of the FDA politely threw down the gauntlet. Schwartz is the Director of Emerging Preparedness of the Center for Devices and Radiological Health at FDA; she expounded at great length on the FDA’s perceptions and expectations with respect to cyber security matters.
Schwartz called upon the industry to act collaborately to identify cyber risks. She asked: aside from a shared desire to protect and heal the public, what is going to motivate competitors to disclose cyber risk information? Do we need a total disaster? Should the FDA impose a penalty (she asked with apparent innocence)? Or, will the industry not adopt a more collaborative approach.
She reviewed a series of executive orders from the President, applicable guidance issued by the FDA, and made reference to last October’s FDA public workshop on cyber security of medical devices (presented in conjunction with the Department of Homeland Security and the Department of Health).
Another problem is the sometimes confrontational nature of dialogue between hackers and companies. She called for civility on both sides. “Security researchers are not the enemy here.”
Two established medical device companies of some size and stature, Boston Scientific and Phillips Healthcare, presented in a separate panel with respect to their practices. It is not surprising that each described robust attention to cyber security during the entire device design process and a willingness to share disclosure with others in the industry (while protecting trade secrets from competitors); each described a corporate program which no doubt the FDA (whose key representative was also listening to the presentation) will find most comforting. It was almost as if a different industry were being described by these presenters compared to FDA’s scenario, which is not to suggest that their companies do not follow the robust procedures they mentioned. It is also perhaps not surprising that the companies which were willing to disclose their procedures are those with the best procedures; it is not likely that a company with poor ratchet on cyber hacking of medical devices would step forward and present in this particular setting.
A subsequent post will outline proposed FDA actions during the next twelve calendar months, and provide premarket guidance on FDA review of devices and related software.