The American Hospital Association (AHA) has called (PDF) for the FDA to step up its medical device cybersecurity oversight in the wake of the WannaCry ransomware attack.
Hospitals in the U.S. escaped the worst of the WannaCry attack—which caused major disruptions to healthcare in the U.K.—but the worm did reportedly infect some devices used in the country. As importantly, the threat of the attack caused disruption at hospitals regardless of whether any of their devices became infected.
The AHA is critical of how medical device manufacturers managed this threat.
“AHA members report that many manufacturers were slow to provide needed information about their products during the WannaCry attack. This includes information on the software components embedded in devices, the existence of vulnerabilities and the availability of patches,” the trade group wrote in a letter to the FDA.
As the AHA sees it, the problems continued once manufacturers did respond. Hospitals reported the defensive actions proposed by manufacturers, such as taking devices offline, “ had significant, and sometimes expensive, operational or patient care impacts.”
The AHA wants the FDA to ensure manufacturers handle the situation better next time by setting “clear measurable expectations” for how they should respond before incidents occur. Then, when a security breach happens, the trade group wants the FDA to play a more active role in helping its members to bounce back.
If the AHA gets its way, the FDA will also force medical device manufacturers to do more to secure their devices before problems arise in the first place.
“Manufacturers must be held accountable to proactively minimize risk and continue updating and patching devices as new intelligence and threats emerge,” the AHA wrote. “They share responsibility for safeguarding confidentiality of patient data, maintaining data integrity and assuring the continued availability of the device itself.”
The AHA made its comments in response to an FDA call for for recommendations about which rules can be modified, repealed or replaced in line with President Trump’s order to cut regulations.