According to recent data from MarketsandMarkets, the market for portable medical devices will be worth $20 billion by 2018. One key factor in this growth is the "availability of a wide range of medical software applications" that allows manufacturers and health agencies to custom-design medical devices to meet specific needs. The US Food and Drug Administration (FDA), meanwhile, has released a set of medical device cybersecurity guidelines designed to help manufacturers evaluate applications before they bring devices to market. Are these guidelines best used as a way to avoid massive software missteps on a case-by-case basis, or do they form the foundation of an overall approach to third-party security?
Late to the Party?
A recent Information Week article examines the new guidelines, noting that 47 percent of healthcare providers and payers already use wearables and other medical devices such as automated pharmacy systems. But only 53 percent of these devices have built-in security, putting users and healthcare companies at risk. As a result, the FDA guidelines seem timely, but according to LogRhythm CTO Chris Petersen, the administration waited far too long to release its report. "What is unique to healthcare environments are the number of IP-connected medical devices that typically have not been hardened to withstand cyberthreats," he says, adding that "securing these devices from advanced threats has not been a mandate and is typically not a focus." In other words, the FDA recommendations may be too little, too late — since millions of insecure IP-based devices already exist.
One of Many
As Petersen points out, the healthcare security market is unique because device accessibility has far outweighed even basic security measures. And it's that kind of ground-floor medical device cybersecurity the FDA guidelines are trying to communicate: The administration suggests that manufacturers should produce devices that can identify and protect personal health data, detect potential threats, respond to issues and recover data as required. But even this can be difficult, since many manufacturers leverage existing third-party applications to speed the development process. After all, if someone has already designed a reliable way to collect heartbeat data or aggregate physical activity reports, why do the work of creating entirely new software? In a market with such strong upward movement, companies that don't get devices to market are left behind.
It's tempting, therefore, to think of the guidelines as a way to check applications on a one-off basis: Does this application meet the basic FDA criteria, and does it come from a trusted provider? But, in fact, medical device manufacturers would do better to consider the FDA recommendations a solid starting point for much broader application security. In combination with rigorous, automated testing for known vulnerabilities, device manufacturers can ensure every product they design exceeds FDA specs. The end result is twofold. First, devices get to market faster since they're not getting recalled for poor code or gaping security holes. And when the FDA decides to lock down medical device cybersecurity rather than simply "suggesting," manufacturers already familiar with this workflow are a step ahead — and have a better shot at claiming their part of a $20 billion market.
Photo Source: Wikimedia Commons