The FBI recently released recommendations to help protect medical devices from cyberattacks that can threaten health care operations, patient safety, and data privacy and integrity, citing a growing number of unpatched medical device vulnerabilities.
“This past June, the AHA issued a letter of support to Congress for pending legislation known as the PATCH Act,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The letter echoed the need for medical device manufacturers to implement increased cybersecurity requirements for medical devices. Cyber vulnerabilities in medical devices, often containing outdated legacy technology, have posed a significant cyber risk to hospitals. In 2017, the FBI reported that the North Korean WannaCry global health care ransomware attack was fueled by vulnerabilities in medical devices.
“The pending legislation would require medical device manufacturers to monitor and identify post-market vulnerabilities in a timely manner, develop a plan for coordinated vulnerability disclosure, provide lifetime cybersecurity support of the device and provide an accounting of all software contained in the device, including third party software.
“In the interim, it is good practice to increase cybersecurity requirements in medical device and medical technology business associate agreements. An excellent resource for medical technology model contract language can be found here.”
For more information on this or other cyber and risk issues, contact John Riggi at jriggi@aha.org
