Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, February 19, 2016

IT industry calls for stronger FDA stance on device cybersecurity

By Kayla R. Bryant, J.D.

The FDA’s “subtle suggestions” for medical device manufacturers related to cybersecurity are not enough for those at the Institute for Critical Infrastructure Technology (ICIT). ICIT affiliates expressed their concerns in a blog and called for regulatory enforcement, which they believe is necessary to resolve vulnerabilities and defend against hackers. The authors reviewed an agency January 2016 draft guidance, which created a framework for manufacturers but contained non-binding recommendations (see FDA provides guidance on addressing cybersecurity threats to medical devices, January 22, 2016).

Guidelines vs. regulations. ICIT admits that regulations are difficult to develop because of the differing constraints surrounding various organizations and agencies. When regulations are implemented, they are often not equal to the threat because they are designed around the “maximum capability of the weakest organization.” Guidelines, however, can be followed as far as possible but adapted to the capabilities of a company or device. The authors emphasize that the freedom surrounding the guidelines should not result in patient harm because manufacturers decide to disregard best practices. Previous communications from the agency have undergone similar attacks from other sources, deemed “watered down” and “wishy-washy.”

Guidance. The FDA stressed that manufacturers should keep an eye on vulnerabilities throughout the device’s lifecycle in light of evolving cybersecurity threats. ICIT noted that health information is particularly valuable to hackers, but that because the guidance is not binding, no party can hold an organization for failure to comply with these up-to-date suggestions. If a breach occurs due to failure to secure data, harm to a company’s reputation is the largest source of liability. This can cause an organization to fail to report a breach, hurting the community as a whole. The FDA only requires reporting of extreme vulnerabilities and exploits that could result in serious harm or death, while actions to mitigate less-severe issues can be considered routine updates and do not need to be reported. ICIT urged the health care community to improve cybersecurity on their own initiative, reminding the industry that comments on the guidelines can be submitted until April 21, 2016.

Companies: Institute for Critical Infrastructure Technology

MainStory: TopStory NewsStory MDNews ConfidentialityNews HITNews MDeviceNews IdentityTheftNews SafetyNews

Back to Top

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.