The Food and Drug Administration (FDA) recently released industry guidance for the postmarket management of cybersecurity in medical devices. We are pleased to see the FDA address medical device cybersecurity given the increasing frequency and severity of cyberattacks against healthcare organizations. A recent report shows cyberattacks against healthcare organizations increased 63% in 2016, a trend expected to continue in 2017. Medical device cybersecurity is an urgent issue we must address to help protect healthcare organizations from dangers such as ransomware and data breaches. However, while the recently released FDA guidance provides good recommendations for the primary medical device market, it overlooks a large, growing segment of medical devices: the secondary market.
The secondary medical device market is the market created by the resale and purchase of used and refurbished medical devices. Hospitals and clinicians facing limited funds and budget constraints can purchase used medical devices for a fraction of the cost of new medical devices. This market is already over $6 billion according to recent reports, and is projected to grow further to nearly $12 billion by 2021. The product warranties and manufacturer remediation available to the primary medical device market do not adequately address the concerns of the secondary medical device market. Hospitals and clinicians engaged in cybersecurity risk management and remediation for refurbished medical devices require a more proactive approach to cybersecurity in order to effectively navigate the challenges they face.
Guidance for medical device cybersecurity must address both the concerns of the primary and secondary medical device markets. We urge the FDA to consider the vulnerabilities of medical devices in the growing secondary medical device market and provide guidance to help hospitals and clinicians effectively manage and remediate potential cybersecurity risks. Recommendations for this guidance might include the implementation of cybersecurity solutions capable of addressing software flaws or vulnerabilities present in medical devices for which manufacturers no longer provide support. Other recommendations might include network solutions capable of protecting unsecured medical devices from external cyberattacks. We believe it is important to provide the healthcare industry with continued support and recommendations to help protect healthcare organizations from the ever-increasing threat of cyberattacks they face today.