Thursday, February 2, 2012

NIST explores economic incentives for medical device cybersecurity

The NIST Information Security and Privacy Advisory Board recently held a panel on Economic Incentives for Medical Device Cybersecurity.

Discussion summary: The lack of meaningful data on medical device cybersecurity leads to cybersecurity unpreparedness. Today, though, there is an economic disincentive for reporting of vulnerabilities and incidents. For instance, a hospital would incur liability by reporting a problem. The economic factors self-reinforce a cycle of not reporting cybersecurity problems, which increases the false impression of preparedness from lack of reported incidents. The lack of reported incidents is more likely a result of lack of incentives for reporting and a lack of effective reporting mechanisms designed to collect cybersecurity threat indicators from the clinical setting.


  • Brian Fitzgerald
    Deputy Director, Division of Electrical and Software Engineering, FDA CDRH OSEL
  • Kevin Fu
    Associate Professor, Computer Science, UMass Amherst (moderator)
  • Louis Jacques
    Director, Coverage and Analysis Group, Centers for Medicare and Medicaid Services
  • James Keller
    Vice President, Health Technology Evaluation and Safety, ECRI Institute
  • George Mills
    Director, Department of Engineering, The Joint Commission
  • Erich P. Murrell
    Lt. Col., CISO, Medical Devices, Office of the Air Force Surgeon General
Past ISPAB meetings with panels on medical device cybersecurity:

No comments:

Post a Comment

All comments are moderated to prevent spam, so please pardon the delay while our anti-spam team looks at incoming messages.