Lack of Support for Older Equipment Presents Medical Device Security Risk
A medical device security risk is not being addressed by device manufacturers according to complaints received by the FDA from healthcare providers.
It is alleged in the complaints that manufacturers are not doing enough to help HIPAA-covered entities remain compliant. One of the main problem areas is old medical equipment, which manufacturers no longer maintain or issue patches for. When this happens the covered entity is given no choice but to purchase new equipment or they will be violating HIPAA regulations and could face million dollar fines.
Healthcare providers are having to now deal with an elevated risk of cyberattacks, and manufacturers are not doing enough according to the complaints received. The FDA has agreed to look into the matter and address the issue. It will be looking more closely at the cybersecurity issues faced by the healthcare industry over the coming weeks and months.
The FDA has already stated that it is committed to developing a comprehensive cybersecurity program. It will also be scrutinizing new market submissions more closely and will want to see evidence of HIPAA data security controls. Considering that there is a significant medical device security risk from electronic devices that could potentially exposes patient data, the FDA wants to tighten up its security requirements for pre-market submissions. The FDA is in the process of issuing new guidelines and these are expected to be finalized shortly.
The FDA has identified a number of problems which it is hoping to address. It wants to get product manufacturers and the medical community working more closely together on issues of HIPAA compliance and data security. Part of the problem has been attributed to confusion that exists about HIPAA and other regulations.
Suzanne Schwartz is the FDA director of Emergency Preparedness/Operations and Medical Countermeasures and she is aware that there are many myths out there which need to be busted. For instance, she gave the example of manufacturers that believe upgrading their products was not feasible due to the bureaucracy involved with the FDA, when this is simply not the case. She pointed out that provided that baseline security measures had been satisfied, the FDA did not need to be involved in the improvement of those security measures and said that a new market submission would not be required.
FDA Guidance Imminent
Schwartz said that the release of the new guidance would be imminent, but that new market submissions would now be assessed from a security standpoint. Security is now to be considered as an “integral part of a product’s effectiveness and safety.”
The FDA will require product manufacturers to be much more proactive when it comes to data privacy and security. They will need to integrate security controls into the design of the devices, not bolt on security patches afterwards.
The reason for the change has been put down to a reassessment of the medical device security risk. The risk level was originally perceived to be low, but after reassessment of the security vulnerabilities of these potentially networkable devices – and given the lifespan of the products – the level of risk was calculated to be much higher than initially thought. As a result the FDA will require new product manufacturers to do more to minimize risk of accidental disclosure of data and show evidence that they have considered their products from a security standpoint.
Modern Equipment Also Carries a High Risk of a HIPAA Violation
It is not only aging equipment that carries a high risk of causing a HIPAA violation. BYOD – Bring Your Own Device – schemes allow healthcare workers to use their own mobile phones for work purposes; however, unless a secure messaging app is employed, any PHI sent via the device will be an automatic HIPAA violation. SMS messages are insecure and can easily be intercepted. If secure messaging has not been added to BYOD devices, it does not matter how much training is provided to the staff on data security; there will always be occasions when PHI is sent via insecure channels.