FDA Cybersecurity Guidance: Added Security…But at What Cost?

Dr. Sean Kelly

May 13, 2020

Last week, the FDA issued guidance to improve cybersecurity efforts in healthcare, warning that computer viruses could “affect how a medical device operates” and potentially expose personal health information. The memo provides general recommendations to both medical device manufacturers and healthcare facilities about how to defend against malware and other threats.

This guidance comes as no surprise as a recent study from the Ponemon Institute found that 63 percent of healthcare organizations experienced a data breach that required notification in the last 24 months.

While this indicates a need to bolster security efforts, it also presents a challenge to hospitals that concerns me as a physician.

The need to keep patient information protected at all times is imperative, but adding security measures typically increases complexity, which disrupts clinical workflows, frustrates clinicians and often detracts from patient care. In fact, the Ponemon Institute survey showed that the majority of healthcare professionals believe that HIPAA and other regulations negatively impact patient care. Figure 1 below cites some of the ways in which survey respondents think HIPAA regulations make it more difficult to deliver quality patient care.

As a physician, my primary objective is to care for patients as best I can. To do this, I need fast, easy access to technology, clinical applications and patient information, and I do not want to be bogged down by slow or complicated IT systems. Therefore, it is incumbent on hospitals to address these security concerns without stifling new technology adoption or inhibiting clinicians from optimizing technology for patient care.

The FDA guidance is important, but to ensure that it does not compound these challenges, it is essential that IT and clinical staffs collaborate to strike a balance between security and convenience. Adequately protecting patient information and guarding against cyberattacks can be accomplished while also enabling clinicians to seamlessly access the systems and data they need to deliver the best possible care for patients.

Figure 1: How HIPAA regulations diminish the delivery of quality patient care (from The Economic and Productivity Impact of IT Security on Healthcare report, May 2013)