So where is OCR in all this? McMillan says the agency has been putting “pressure” on FDA and the Office of the National Coordinator for Health Information Technology (ONC) about this issue. However, OCR spokeswoman Rachel Seeger would say only that OCR had no “substantive” or “direct role in FDA’s guidance or warning.”
McMillan says there is talk of creating some kind of system for assessing medical device security features akin to HHS’s meaningful use certifications that apply to electronic health records. Only those that meet certain criteria, which include certain access controls, can be purchased with federal funds (RPP 9/12, p. 4). CMS and ONC maintain a list of certified EHRs.
A version of this question was discussed by panelists from CMS and FDA (audio recording conveniently below). In February 2012, I moderated a panel at the NIST Information Security & Privacy Board on the topic of economic incentives to improve medical device security. The audio recording and discussion questions can be downloaded from our blog post. The high bit: at the time, there were very few economic levers for covered entity to incentivize better cybersecurity in manufacturing of medical devices. The draft guidance from FDA may provide an important lever for covered entities so that patients ultimately have safer and more effective medical devices.