Confusion around FDA policies hinders medical device security, report suggests

Hospital IT executives are split in their confidence when it comes to medical device security, according to a joint report from KLAS Research and the College of Healthcare Information Management Executives published Oct. 5.

For the report on medical device security, KLAS Research and CHIME surveyed 148 CIOs, chief information security officers, chief technology officers and other IT leaders at various provider organizations, including hospitals and integrated delivery networks. The respondents were asked to share perceptions of their organization's security strategy and common challenges they've faced.

Thirty-nine percent of executives in the survey said they were "confident" or "very confident" in their medical device security strategy's ability to protect patient safety and prevent disruptions to patient care, while 31 percent said they were "unconfident" or "very unconfident." The remaining 30 percent said they were "neutral."

Lack of support from device manufacturers was one of the leading causes executives cited for not having confidence in their security strategy. Top manufacturer-related concerns that have caused security issues for the providers included out-of-date operating systems (93 percent) and insufficient controls (55 percent), according to the report.

Confusion around FDA policies was also a driver of executives' frustration around medical device security, according to KLAS Research and CHIME.

"Though KLAS did not specifically ask respondents for their perspectives on the FDA's role in medical device security, many brought up the topic spontaneously. According to most of these respondents, medical device manufacturers use the FDA policies as an excuse to not patch their decisions," the report reads. Other respondents claimed FDA policies were unclear or didn't hold manufacturers accountable for security issues.

In early October, FDA Commissioner Scott Gottlieb, MD, unveiled four steps the agency is taking to strengthen its cybersecurity program for medical devices — including releasing a cybersecurity "playbook" for hospitals and updating the agency's premarket guidance.

"We want to assure patients and providers that the FDA is working hard to be prepared and responsive when medical device cyber vulnerabilities are identified," Dr. Gottlieb said in an Oct. 1 statement. "The FDA isn't aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient, but the risk of such an attack persists."

To download KLAS Research and CHIME's report, click here.

 More articles on cybersecurity:
4 ways the FDA is tackling medical device security
Facebook's latest breach affects 50M users: 6 things to know
5 questions to help CISOs assess cybersecurity preparedness

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Top 40 Articles from the Past 6 Months