In 2015, there were several major data breaches in the health care industry that resulted in more than 112 million records being compromised. As a result, the industry is facing heightened regulatory scrutiny around the issue of cyber security and preparedness, including for medical devices.
First, you have the Cybersecurity Act of 2015, which requires the Department of Health and Human Services (HHS) to submit a report to Congress assessing the preparedness of the healthcare industry in responding to cyber threats within the next year. The goal is to establish a “single, voluntary, national, health-specific cyber security framework.” As part of this mandate, HHS must create a cyber security task force comprised of regulatory agencies, industry stakeholders and cyber experts to help plan a single system for the federal government to share intelligence regarding cyber security threats to the healthcare industry and recommend protections for networked medical devices and electronic health records.
Additionally, the U.S. Food and Drug Administration (FDA) has issued a new set of draft post-market guidance for the management of cyber security in medical devices, making recommendations for medical device manufacturers to minimize risk to patients as a result of the growing cyber security threats.
The FDA’s draft guidance for medical devices advocates a risk-based and proactive approach. Moreover, although the guidance is primarily aimed at manufacturers, it notes that medical device cyber security is a shared responsibility between all healthcare stakeholders including healthcare facilities, patients and providers. The draft guidance recommends that manufacturers should implement a structured and systematic comprehensive cyber security risk management program and respond in a timely fashion to identified vulnerabilities. Critical components of such a program would include medical device manufacturers developing management approaches to:
- Apply the NIST Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of “Identify, Protect, Detect, Respond and Recover”;
- Monitor cyber security information sources for identification and detection of cyber security vulnerabilities and risk;
- Understand, assess and detect presence and impact of a vulnerability;
- Establish and communicate processes for vulnerability intake and handling;
- Clearly define essential clinical performance to develop mitigations that protect, respond and recover from the cyber security risk; and,
- Adopt a coordinated vulnerability disclosure policy and practice.
When evaluating potential cyber risks, manufacturers should focus on assessing the risk to the device’s “essential clinical performance” and consider the following:
- The exploitability of the cyber security vulnerability.
- The severity of the health impact to patients should the vulnerability be exploited.
In instances where the “essential clinical performance” of a device could be compromised, the manufacturer is required to notify the agency. Reporting requirements are not enforced if the following circumstances are met:
- No known serious adverse effects or deaths associated with the vulnerability.
- The manufacturer sufficiently remediates the issue within 30 days of learning of the vulnerability.
- The manufacturer is a participant of an Information Sharing Analysis Organizations (ISAO).
Any device that uses software and is allowed to connect to a healthcare network introduces risk, and it is essential that these risks be managed properly. In addition to having strong cyber security in place, Cyber Liability insurance must be part of the plan. A health care facility should ensure that not only it has the proper coverage but also the manufacturers of the medical devices must be appropriate insured. Caitlin Morgan offers a wide range of medical facilities Cyber Liability coverage and can assist you in providing a tailored policy. Give us a call at 877.226.1027.