Unfortunately, many large and traditional medical device companies did not incorporate security practices in their design and development phases nor did they stay vigilant in the post market phase with regard to the latest and greatest security updates. It is only in recent years and due to many embarrassing news article reporting on vulnerabilities in pacemakers and and infusion pumps that forced these companies to take more actions. But even then they are still tailing behind other industries especially in the consumer and financial sectors.
It's also worth to mention that FDA's focus is different from HHS or other agencies. While other agencies care about consumer data integrity and patient health information (PHI) in the case of HHS and HIPAA regulations, FDA is focused solely on patient safety and clinical efficacy. FDA hold medical device companies accountable only if vulnerabilities lead to patient safety issues within the risk management framework. If medical device companies show in their hazard analysis and risk management file, that it's unlikely for vulnerability to be exploited where patient safety is compromised, given the clinical controls and intended use environment, then they don't have to act on them.
You can see that in the FDA Post market guidance on Cybersecurity where they show a chart for Controlled vs Uncontrolled vulnerabilities. So its not uncommon to see scenario where you see a high CVSS score for a vulnerability, but for a medical device intended use in a hospital the manufacturer claims that according to their risk management file, the same vulnerability is controlled and thus its ok not to take any additional measures.
It's also worth to mention that FDA's focus is different from HHS or other agencies. While other agencies care about consumer data integrity and patient health information (PHI) in the case of HHS and HIPAA regulations, FDA is focused solely on patient safety and clinical efficacy. FDA hold medical device companies accountable only if vulnerabilities lead to patient safety issues within the risk management framework. If medical device companies show in their hazard analysis and risk management file, that it's unlikely for vulnerability to be exploited where patient safety is compromised, given the clinical controls and intended use environment, then they don't have to act on them.
You can see that in the FDA Post market guidance on Cybersecurity where they show a chart for Controlled vs Uncontrolled vulnerabilities. So its not uncommon to see scenario where you see a high CVSS score for a vulnerability, but for a medical device intended use in a hospital the manufacturer claims that according to their risk management file, the same vulnerability is controlled and thus its ok not to take any additional measures.
https://www.google.com/search?biw=1516&bih=947&tbm=isch&sa=1...: