A CIO on Carrying the Burden of Medical Device CybersecurityCletis Earle of Kaleida Health Discusses Why Standards, Congressional Action Are Needed
A lack of standards spelling out to manufacturers their responsibilities for addressing the cybersecurity of medical devices - especially legacy products - has left a big burden on the healthcare entities that use these devices, says Cletis Earle, CIO at Kaleida Health, a health system in New York state.
The situation "has created significant challenges, because ... those devices sit in our networks and infrastructures from the technology side, and we're now held responsible to remediate those issues," says Earle, who is also chair of the College of Healthcare Information Management Executives - or CHIME - board of trustees.
"Many of those devices are very proprietary and it's very difficult to manage them because you would need to put in some kind of solution that ... monitors devices - and the proprietary nature of those devices makes that very challenging to do," he says in an interview with Information Security Media Group.
"It's a lack of standards as well as a lack of characterization of those standards that makes this challenging. There's no true vulnerability disclosure associated with these devices. Suppliers should provide documentation of the vulnerabilities of their products like they would normally do for anything else in a situation like that. We need to ask for greater risk sharing."
Call to Congress
CHIME - and its Association of Executives in Healthcare Information Security subgroup - were among several organizations that recently submitted comments in response to the House Energy and Commerce Committee's request for information issued in April seeking feedback on how to improve the cybersecurity of legacy medical devices (see Strong Opinions Voiced on Medical Device Security Challenges.)
In their formal comments to the committee, CHIME and AEHIS asked for more specific industry standards when it comes to the definition of "legacy medical device" and as well as industry standards for categorization of device cyber risks.
Although the Food and Drug Administration has issued "non-binding" pre-market and post-market cybersecurity guidance for medical devices, "we recommend the FDA strongly consider using binding guidelines and guidance," Earle says. That includes requiring manufacturers to use cybersecurity frameworks, such as the National Institute of Standards and Technology cybersecurity framework, he says.
"It is imperative that all of the manufacturers move to these guidance. They are recommendations, but in many cases, there are no standards."
To help raise the bar further, "we're really hoping Congress can help influence the FDA to shore up some of these security challenges by putting out some mandates and changing some laws," he adds.
In the interview (see audio link below photo), Earle also discusses:
- Other cyber challenges involving legacy medical devices;
- Steps healthcare entities can take to help mitigate legacy medical device cyber challenges;
- How medical device makers can better address cyber issues in their new devices before those products become "legacy" devices.
Earle is senior vice president and CIO at Buffalo, New York-based Kaleida Health, which operates four hospitals and numerous community healthcare centers. He previously served as vice president and CIO at St. Luke's Cornwall Hospital. Earle began his IT career as a support manager at Brooklyn Queens Health Care Inc. in Brooklyn, NY, eventually taking on roles as director of technology and vice president, CIO and privacy officer.