Abbott seeks clearer security standards as feds increase cyber risk focus

Dive Brief:

Medical device giant Abbott called for clearer cybersecurity standards, built-in protections for next-generation connected devices, and investment in better prevention and incident response mechanisms in a new white paper released Thursday.
Co-authored by cybersecurity firm The Chertoff Group, the report found that 75% of physicians and 62% of hospital administrators feel "inadequately trained or prepared to mitigate cyber risks," among over 400 healthcare delivery professionals surveyed. Additionally, physicians (82%) and administrators (73%) agreed that there should be "industry-wide standards and consistent terminology.
President Donald Trump is expected to sign bipartisan legislation on Friday creating the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS). The new agency will effectively replace the National Protections and Program Directorate and is meant to be the point governmental organization on civilian cyber safety in the United States.

Dive Insight:

The creation of CISA comes also just a few weeks after HHS launched "HC3," an information and advice-sharing go-between for government and industry that will report to DHS.

FDA has been active in addressing cybersecurity this year, including within its Medical Device Safety Action Plan, which seeks to integrate premarket and postmarket device regulation. The agency also issued a Medical Device Cybersecurity Incident Preparedness and Response Playbook and proposed updates to its 2014 guidance on premarket cyber readiness.

The majority of cyber attacks in healthcare are still economically-driven ransomware attacks on network systems, as opposed to malicious actor attempts to hurt patients, said Bennet Waters, who leads strategic advisory services at The Chertoff Group, at a cybersecurity panel Thursday at the Healthcare of Tomorrow conference in Washington.

However, Waters said "we're fooling ourselves" if we don't think industry-wide vulnerabilities leave potential for the threat landscape to evolve to more common attacks on individual medical devices such as pacemakers.

Waters also said that "good technology can lull organizations into a false sense of security," aligning with the joint report's recommendation for better training and awareness of cyber vulnerabilities across healthcare organizations. The report warns that communication regarding the vulnerabilities of medical devices is currently insufficient for physicians, only 15% of whom reported "having seen or read advisories related to medical device security" in the last six months.

"We've all been focused on delivering healthcare rather than delivering healthcare through secure channels" said Seth Carmody, a cybersecurity program manager within FDA's Center for Devices and Radiological Health and a co-chair of its Cybersecurity Working Group.

Carmody highlighted some of the key updates in FDA's proposed device cybersecurity draft guidance, including a recommendation that device manufacturers include a cybersecurity bill of materials for each product sold, to effectively give hospitals awareness of an "ingredient list," should any of those materials be found to have vulnerabilities. Carmody said that the next generation of devices ought to have protections "baked into the silicone," ultimately creating technologies that are far less trusting than existing ones.

Abbott's divisional vice president for product security, Chris Tyberg, seemed to agree with this direction, saying that built-in security measures will be a new test of quality for devices.

FDA is set to hold a public workshop on the proposed changes to the cybersecurity draft guide in January.