skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Siemens_Cybersecurity_Expert_Says_Medtech_Industry_Has_Perverse_Incentive_To_Not_Disclose_Vulnerabilities_Might_A New_Law_Be_The_Fix

A few years ago, Siemens AG's Harrison Wadsworth was in the office of his company's product security officer when a customer phone call was patched through.

"The person said: 'How come I keep getting product security bulletins from Siemens about all your security problems when this other vendor we work with has no problems?'" recalled Wadsworth, who is Siemens' director of government affairs, and the firm's cybersecurity expert.

"That's when our product security officer said: 'Well, actually, they do have problems. They’re just not telling you,'" he said at a June Case for Quality forum in Arlington, VA.

Wadsworth said the customer was so concerned about Siemens' cybersecurity disclosures that they were considering switching to a different vendor.

That fear of losing business by being transparent about cybersecurity vulnerabilities means there's "a perverse incentive in some parts of the market that encourages a lack of disclosure," Wadsworth said.

 

"We may be looking to require coordinated vulnerability disclosure through legislation in order to level the playing field." – Suzanne Schwartz

 

That's why the US Food and Drug Administration's Suzanne Schwartz says a new law might be the antidote to companies that willingly hide cybersecurity vulnerabilities to avoid concerning their customers.

"We certainly want to see much broader adoption of coordinated vulnerability disclosure across the entire ecosystem," Schwartz, deputy director of the Center for Devices and Radiological Health's Office of Strategic Partnerships and Technology Innovation, said at the forum.

Coordinated vulnerability disclosure is a process wherein product-makers work with cybersecurity researchers to find vulnerabilities in any software-based product – including medical devices – followed by designing a patch to fix the gap, and then distributing and deploying the patch. (Also see "FDA Cybersecurity Forum: Manufacturers Explain Coordinated Vulnerability Disclosures" - Medtech Insight, 1 Feb, 2019.)

There's so much concern at the FDA about a lack of disclosure in industry that "we may be looking to require coordinated vulnerability disclosure through legislation in order to level the playing field," Schwartz said.

After all, "the companies that are demonstrating the kind of behavior that is a role model for all the ecosystem shouldn't take a hit because of their transparency and the maturity that they are demonstrating – while all the other [firms] that do have vulnerabilities and are not disclosing them" go unnoticed, she added.

 

"There’s a risk, if fear takes over, that people will become afraid to connect their devices." – Harrison Wadsworth

 

Schwartz noted that a 2016 FDA guidance document, "Postmarket Management of Cybersecurity in Medical Devices," "calls out strong recommendations and encouragement of coordinated disclosure policies and processes to be adopted through industry, and we recognize the international standards that are specific to those."

In October 2018, a US congressional panel encouraged federal government agencies and private companies to embrace coordinated vulnerability disclosures, pointing to the disclosure advice in the FDA’s cybersecurity guidance as a model that could work. (Also see "US Lawmakers Praise FDA Tips On Coordinated Vulnerability Programs For Device Cybersecurity" - Medtech Insight, 25 Oct, 2018.)

When it comes to cybersecurity and transparency, "the stakes are really high in safety-critical industries," Schwartz said. "Particularly, think about those patients with implanted devices or devices at home that they rely on for critical life functions, and what it’s like to find out that information has not been disclosed in a coordinated manner. It creates a lot of fear, a lot of concern, a lot of anxiety and a lot of hysteria."

Added Siemens' Wadsworth: "There’s a risk, if fear takes over, that people will become afraid to connect their devices [and will develop] an overall lack of trust in connected technology and innovation.

"That’s the real risk."

Read also

;

Next steps

Whether you’re a small biotech start-up, research firm, generic manufacturer or a global pharmaceutical giant, you need focused, independent insight and opinion on market developments.

Our team is always happy to hear from you. Please call us at:

  • US Toll-Free  : +1 888 670 8900
  • US Toll           : +1 908 547 2200
  • UK & Europe : +44 (20) 337 73737
  • Australia        : +61 2 8705 6907
  • Japan              : +81 3 6273 4260

Or please submit your inquiry via the form so that we can provide you the best possible customer service.

Have an immediate and specific information need?

Browse and buy from 1000s of analysis and research reports now: