November 22, 2021 – How long will distributors and manufacturers be on the hook for ensuring the safety – from a cybersecurity perspective – of the equipment they sell? One year? Five? Ten?
In a letter written in May 2018 to the U.S. House of Representatives Energy and Commerce Committee, the American Hospital Association took a strong stance: “The FDA must make clear that security measures to protect legacy devices are required, not optional. Unfortunately, the health care sector, including the device sector, continues to be confused as to whether FDA guidance on post-market cybersecurity is binding.”
In the letter, former AHA Executive Vice President Thomas Nickels wrote, “It would be useful for manufacturers to provide guidance to end-users at the time of purchase about the expected supported lifetime. This would allow for better planning and risk management activities.
Chad Waters, senior cybersecurity engineer, Device Evaluation Group at ECRI, told Repertoire in an email, “Going forward, the strategy should focus on producing devices that don’t become ‘legacy’ before their useful lifespan. It’s also reasonable that a device [be] easily patchable. These devices should have security support throughout their expected lifespan. In some cases, this includes one or more upgrades of the operating system platform. Manufacturers should be transparent with the lifecycle plans of their devices.”
Even the AHA’s Nickels doesn’t believe it will be easy.
“There is a significant contrast between the ease and efficiency of updating network and PC software for security, and updating software embedded in medical devices,” he wrote. “Software companies have generally prioritized creating a systematic approach for sharing timely updates and providing guidance on how to complete them. Similar approaches have yet to be deployed by medical device manufacturers.”