Discussion summary: The lack of meaningful data on medical device cybersecurity leads to cybersecurity unpreparedness. Today, though, there is an economic disincentive for reporting of vulnerabilities and incidents. For instance, a hospital would incur liability by reporting a problem. The economic factors self-reinforce a cycle of not reporting cybersecurity problems, which increases the false impression of preparedness from lack of reported incidents. The lack of reported incidents is more likely a result of lack of incentives for reporting and a lack of effective reporting mechanisms designed to collect cybersecurity threat indicators from the clinical setting.
Panelists:
- Brian Fitzgerald
Deputy Director, Division of Electrical and Software Engineering, FDA CDRH OSEL - Kevin Fu
Associate Professor, Computer Science, UMass Amherst (moderator) - Louis Jacques
Director, Coverage and Analysis Group, Centers for Medicare and Medicaid Services - James Keller
Vice President, Health Technology Evaluation and Safety, ECRI Institute - George Mills
Director, Department of Engineering, The Joint Commission - Erich P. Murrell
Lt. Col., CISO, Medical Devices, Office of the Air Force Surgeon General
Past ISPAB meetings with panels on medical device cybersecurity: