As hospitals and other healthcare facilities invest ample time and money into providing protection for their electronic records, the U.S. Food and Drug Administration (FDA) is offering a reminder that medical devices represent a potential vulnerability. The agency is underway with a series of collaborations meant to combat a wave of cyberattacks that they deem highly likely in the future.
In recent months, Johnson & Johnson alerted users to a security risk associated with the Animas OneTouch Ping insulin pump system and a group of St. Jude Medical’s cardiac devices were found to be ripe for cyberattack. Such reports lead to alarming thoughts of hackers accessing devices and compromising their operation.
There was no indication that any of these flaws has led to patient harm thus far, but even if the only dire result is the theft of patient records, that opens up a HIPAA nightmare with a lot of confusion of over where disciplinary fines might land. That’s one aspect of the flaring debate about whether or not the 20-year-old patient privacy law has kept up with the times.
Right now, the FDA is concentrating their efforts on device manufacturers, hoping that early mindfulness in constructing safeguards will be the best defense.
"This is what we said to manufacturers; one should consider the environment a hostile environment, there are constant attempts at intrusion ... and they have to be hardened," recounted Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, according to The Hill.
The FDA has been reaching out to other federal agencies with an end goal of formulating a response in the event of a catastrophic hack of medical devices. There’s also been an influx of experts, all focused on developing better guidance schemes for manufacturers and users.
Healthcare providers face the anxiety of vague guidelines that refer to the security of medical devices as a “shared responsibility,” potentially assigning the facility and practitioners the same level of culpability as a manufacturer if a device’s cybersecurity tools proves inadequate.
For hospitals, arguably the greatest risk is that a single access point through a vulnerable device can put the whole array of connected medical records at a hacker’s keyboard-tapping fingertips. Right now, cybersecurity dangers have the attention of the FDA. Soon, the problem might jolt the entire healthcare industry.