The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices. NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related technology in ways that enhance economic security and quality of life. Its standards and best practices address interoperability, usability and privacy continues to be critical for the nation. NIST’s latest announcement is directed at eventually providing security guidance for the healthcare sector’s most common uses of data, inasmuch as that industry has increasingly come under attack.
The current announcement is reflective of the interest of NIST and the Food & Drug Administration (“FDA”), the primary regulatory agency for medical devices, within the so-called Internet of Things (“IoT”). Thus, NIST, through its National Cybersecurity Center of Excellence, will accept proposals up to June 8, 2018, for “products and technical expertise” relevant to the creation of guidelines for securing data used by Picture Archiving and Communication Systems (“PACS”). NIST will attempt to harmonize the requirements for patient imaging devices with NIST’s overall cybersecurity framework.
The proposed project will examine the specific uses and regulatory requirements for patient imaging devices, and how those varying considerations apply to the use of the NIST cybersecurity framework. As the NIST project summary notes PACS are regulated by the FDA as “class II” devices that provide one or more functions related to the “acceptance, transfer, display, storage, and digital processing of medical images.” These devices, which can be found in virtually every hospital, are not only vulnerable to cyber-attack in and of themselves, but NIST sees them as a “pivot point into an integrated healthcare information system.”
The current imaging device project follows last year’s release of draft guidelines for wireless infusion pumps, and evidences the government’s continuing concern, not only with the security of the IoT, but with specific reference to the vulnerable health care sector.
Epstein Becker Green routinely deals with questions related to medical device regulation and cybersecurity. For further information, you can contact Stuart Gerson, Adam Solander, Bradley Merrill Thompson or James Boiani.