Rep. James Langevin (D-RI), co-chairman of the Congressional Cybersecurity Caucus, wrote an open letter to the Food and Drug Administration's (FDA) on Thursday to praise draft guidance that would strengthen the cybersecurity of medical devices.
The letter praises the risk-focused approach encouraged in the proposed guidelines. “Rather than outline specific controls, which would rapidly become obsolete, the guidance suggests processes, such as monitoring cybersecurity information sources, that are tied to a holistic model of risk, Langevin wrote in the open letter. “Of note are the recommendations regarding vulnerability handling and disclosure, as effective vulnerability programs are essential for alerting manufacturers to security problems.”
The guidelines, announced in January, call on medical device makers to plan for and assess vulnerabilities. It also encourages information sharing, in the form of a public-private cooperative organization, the Information Sharing Analysis Organization (ISAO).
Spearheaded by Suzanne Schwartz, the agency's emergency preparedness director, the guidelines have been warmly received by information security professionals. “The evidence we've seen so far from IoT vendors is that they're repeating the mistakes we've seen over the past 20+ years and delivering systems with inherit insecurities (e.g. cars, toys, medical devices, and other devices),” said Mark Nunnikhoven, VP, Cloud Research at Trend Micro, in comments email to SCMagazine.com. “This is unacceptable for any new devices – let alone critical ones in the medical field. Every other aspect of a medical device falls under regulation, it's only logical to ensure that the security of the device itself and the systems it connects to are also heavily regulated and monitored.”
The time-saving potential of medical devices is especially relevant to Langevin, a quadriplegic who was paralyzed in a gun accident while working with a police department as a Boy Scout. While he praised the advances brought on by medical devices that allow to doctors to monitor patients' health without requiring office visits, he also raised concerns that “medical devices are subject to increased risk as their connectivity grows.”Last month, during a Congressional subcommittee joint hearing, the FTC pushed for federal data security legislation that would enable the agency to seek civil penalties in situations such as data breaches, especially where the agency is impeded by limitations in pursuing non-profit organizations.