He pointed to the move last fall by short-seller investment firm Muddy Waters to publicize research by MedSec Holdings that found flaws in pacemakers and defibrillators made by St. Jude Medical Inc., which drove the company’s stock price down.
That collaboration was sharply criticized in some of the IT media, and St. Jude sued both Muddy Waters and MedSec, but Merdinger noted that, “the bottom line at this point appears to be that St. Jude is issuing patches, ICS-CERT is issuing advisories, and nobody has been arrested or otherwise shut down on the business side.”
The point, he said, is that if the stock price of a company is threatened, “that means executive bonuses and shareholder value is impacted. Once you start taking away peoples' boat payments, it's a whole new ballgame.”
And Harrington said he is not a fan of government regulation in cyber security for several reasons. “It takes too long to develop, is outdated by the time it becomes enacted, is too riddled with compromise and it attempts to apply a uniform security model to organizations that are innovating and thus by definition are not uniform,” he said.
But, he does not think the FDA’s guidance is useless. He said it can, “help align the various stakeholders – from device manufacturers, hospitals, patients, and the government – as to what is important. It provides a common language around which the discussion of security can be centered.”
Ostashen said government should play a role – a more aggressive role. “The FDA must set up regulations as strict as those for HIPAA (Health Information Portability Accountability Act, which mandates the protection of personal health information),” he said, adding that he sees cyber liability insurers refusing to pay for damages if they believe an organization was negligent for not following best practices.
“Medical device manufacturers need to be held accountable for being negligent,” he said. “Yes, the development of these devices can take five years, but secure architecture and development must be a conscious thought at the inception of the product.”
Overall, Domas said she applauds the FDA for, “taking the issue of security in medical devices seriously.” She noted that the agency has been heavily involved in medical conferences and guidance working groups.
“They have been soliciting feedback and buy in from the whole medical ecosystem, including medical manufacturers, hospitals, and security researchers,” she said.
Harrington said while it will be a long time before, “end users can be fully relaxed and confident in the security posture of medical devices, I am optimistic that this will improve over time.”
And the FDA said, “we are starting to see a change in mindset among all stakeholders–manufacturers are realizing the importance of implementing comprehensive cybersecurity controls throughout a product’s lifespan.”
Sign up for CIO Asia eNewsletters.