Pharma Intelligence is part of the Informa Intelligence Division of Informa PLC
This is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
A few years ago, Siemens AG's Harrison Wadsworth was in the office of his company's product security officer when a customer phone call was patched through.
"The person said: 'How come I keep getting product security bulletins from Siemens about all your security problems when this other vendor we work with has no problems?'" recalled Wadsworth, who is Siemens' director of government affairs, and the firm's cybersecurity expert.
"That's when our product security officer said: 'Well, actually, they do have problems. They’re just not telling you,'" he said at a June Case for Quality forum in Arlington, VA.
Wadsworth said the customer was so concerned about Siemens' cybersecurity disclosures that they were considering switching to a different vendor.
That fear of losing business by being transparent about cybersecurity vulnerabilities means there's "a perverse incentive in some parts of the market that encourages a lack of disclosure," Wadsworth said.
"We may be looking to require coordinated vulnerability disclosure through legislation in order to level the playing field." – Suzanne Schwartz
That's why the US Food and Drug Administration's Suzanne Schwartz says a new law might be the antidote to companies that willingly hide cybersecurity vulnerabilities to avoid concerning their customers.
"We certainly want to see much broader adoption of coordinated vulnerability disclosure across the entire ecosystem," Schwartz, deputy director of the Center for Devices and Radiological Health's Office of Strategic Partnerships and Technology Innovation, said at the forum.
Coordinated vulnerability disclosure is a process wherein product-makers work with cybersecurity researchers to find vulnerabilities in any software-based product – including medical devices – followed by designing a patch to fix the gap, and then distributing and deploying the patch. (Also see "FDA Cybersecurity Forum: Manufacturers Explain Coordinated Vulnerability Disclosures" - Medtech Insight, 1 Feb, 2019.)
There's so much concern at the FDA about a lack of disclosure in industry that "we may be looking to require coordinated vulnerability disclosure through legislation in order to level the playing field," Schwartz said.
After all, "the companies that are demonstrating the kind of behavior that is a role model for all the ecosystem shouldn't take a hit because of their transparency and the maturity that they are demonstrating – while all the other [firms] that do have vulnerabilities and are not disclosing them" go unnoticed, she added.
"There’s a risk, if fear takes over, that people will become afraid to connect their devices." – Harrison Wadsworth
Schwartz noted that a 2016 FDA guidance document, "Postmarket Management of Cybersecurity in Medical Devices," "calls out strong recommendations and encouragement of coordinated disclosure policies and processes to be adopted through industry, and we recognize the international standards that are specific to those."
In October 2018, a US congressional panel encouraged federal government agencies and private companies to embrace coordinated vulnerability disclosures, pointing to the disclosure advice in the FDA’s cybersecurity guidance as a model that could work. (Also see "US Lawmakers Praise FDA Tips On Coordinated Vulnerability Programs For Device Cybersecurity" - Medtech Insight, 25 Oct, 2018.)
When it comes to cybersecurity and transparency, "the stakes are really high in safety-critical industries," Schwartz said. "Particularly, think about those patients with implanted devices or devices at home that they rely on for critical life functions, and what it’s like to find out that information has not been disclosed in a coordinated manner. It creates a lot of fear, a lot of concern, a lot of anxiety and a lot of hysteria."
Added Siemens' Wadsworth: "There’s a risk, if fear takes over, that people will become afraid to connect their devices [and will develop] an overall lack of trust in connected technology and innovation.
"That’s the real risk."Medtech Insight: global medical technology news & analysis
By Vibha Sharma 02 Jun 2023
Stay current on regulatory guidelines from around the world with Medtech Insight's Guidance Tracker. Forty-seven documents have been posted on...
Medtech Insight: global medical technology news & analysis
02 Jun 2023
This week, Illumina’s board added two independent members; the VA and the FDA agreed to collaborate on supply chain issues;...
Medtech Insight: global medical technology news & analysis
02 Jun 2023
Medtech trade group AdvaMed is offering a list of recommendations to beef up the nation’s medical technology supply chain. Public-private...
Request a Trial
Whether you’re a small biotech start-up, research firm, generic manufacturer or a global pharmaceutical giant, you need focused, independent insight and opinion on market developments.
Speak to Sales
Our team is ready to hear from you for a particular request or area of interest. Please do not hesitate to reach out and discuss.
Client Services
Contact us for product technical and account support.
Pharma Report Store
Have an immediate and specific information need?
Browse and buy from 1000s of analysis and research reports now:
