Is the American Hospital Association suggesting manufacturer liability for vulnerabilities in products?

Leave a reply

I found a letter from the America Hospital Association to FDA, while reading a blog entry at NH-ISAC.  The NH-ISAC blog concludes:

Is the American Hospital Association suggesting manufacturer liability for vulnerabilities in products?

Here is an excerpt from the AHA letter:

….. recent ransomware attack highlighted the extent to which medical devices are vulnerable and can create high-risk areas for the security of hospitals’ overall information systems. The FDA must provide greater oversight of medical device manufacturers with respect to the security of their products. Manufacturers must be held accountable to proactively minimize risk and continue updating and patching devices as new intelligence and threats emerge. They share responsibility for safeguarding confidentiality of patient data, maintaining data integrity and assuring the continued availability of the device itself. While the FDA has released both pre- and post-market guidance to device manufacturers on how to secure systems, the device manufacturers have yet to resolve concerns, particularly for the large number of legacy devices still in use.

…Moreover, AHA members report that many manufacturers were slow to provide needed information about their products during the WannaCry attack. This includes information on the software components embedded in devices, the existence of vulnerabilities and the availability of patches. Furthermore, the mitigating steps recommended by manufacturers – such as taking a device off-line, putting it behind a firewall or further segmenting the network – had significant, and sometimes expensive, operational or patient care impacts. We recommend that the FDA proactively set clear measurable expectations for manufacturers before incidents and play a more active role during cybersecurity attacks. This active role could include, for example, issuing guidance to manufacturers outlining the expectations for supporting their customers to secure their products.

The Takeways

  1. If you are in the healthcare sector, share the letter from the AHA to the FDA with your key medical device manufacturers for a response and setup a lessons learned session on WannaCry

Leave a comment