Assessing The FDA's Cybersecurity Guidelines For Medical Device Manufacturers

By James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology (ICIT), and Drew Spaniel, Visiting Scholar, Carnegie Mellon University

In practically all matters of cybersecurity within the health sector, the United States Food and Drug Administration (FDA) seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed. The argument against enforcing cybersecurity standards typically centers on the idea that a regulatory presence stifles innovation. Due to the industry’s continuous lack of cybersecurity hygiene, malicious electronic health record (EHR) exfiltration and vulnerabilities in healthcare’s Internet of Things (IoT) continue to be a profitable priority target for hackers.

On January 15, 2016, the FDA issued a draft guidance advising medical device manufacturers to address cybersecurity “throughout a product’s lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.” The guidelines offer a voluntary framework that organizations can build upon to ensure that their cybersecurity policies, procedures, and strategies proactively address cybersecurity risks in medical devices before the organization, patients, or the public at large realize financial or reputational harm from the exploitation of an unaddressed vulnerability by an unknown threat actor. But will these subtle “suggestions” be enough?