By: Suzanne B. Schwartz, M.D., M.B.A., Associate Director for Science and Strategic Partnerships, Center for Devices and Radiological Health
Ensuring medical devices are safeguarded from cyber intrusions is a shared responsibility across the medical device ecosystem. At the FDA, we deal with cybersecurity in the context of the total product lifecycle of a device. But we also tackle the issue as it evolves in the cyber ecosystem, where devices are part of an interconnected cyber — physical infrastructure among people, processes, data and information and communication technologies, along with the environment and conditions that influence those interactions.
As medical devices become more digitally interconnected and interoperable, they can improve the care patients receive and create efficiencies in the health care system. However, medical devices, like computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. Thankfully, manufacturers can adopt a holistic approach towards reducing cybersecurity risks associated with devices and of concern to patients by carefully considering — and building in — cybersecurity during design and development of medical devices, as well as having a robust postmarket plan to both manage emerging cyber vulnerabilities and to respond to intrusions or exploits affecting device performance when they occur.
Applying a best-teams approach
The FDA’s role and commitment to medical device cybersecurity continues to increase in scope and nature as we consider the implications of compromised devices across their total product lifecycle. As a member of the Healthcare and Public Health Sector, we work closely with other Federal government agencies and the private sector to identify and prepare for cyber intrusions, reduce medical device vulnerabilities, mitigate potential impacts on patients, and enable timely restoration of devices and systems.
We’ve taken significant steps over the past 5 years to work towards the vision of a healthy and resilient cyber ecosystem. To help make this vision a reality, earlier this month, we took our ongoing relationship with the U.S. Department of Homeland Security (DHS) to another level, announcing a memorandum of agreement between the FDA and DHS, to implement a new framework for enhanced coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. We believe this best-teams approach can lead to more timely and effective responses to potential threats to patient safety and public health.
Under the agreement, DHS will continue to serve as the central medical device vulnerability coordinating body and interface with appropriate stakeholders, including consulting with the FDA for technical and clinical expertise regarding medical devices. The DHS’ National Cybersecurity and Communications Integration Center (NCCIC) will continue to coordinate and enable information sharing between medical device manufacturers, researchers, and the FDA, particularly in the event of cybersecurity vulnerabilities in medical devices that are identified to DHS. The FDA will continue to engage in regular, ad hoc, and emergency coordination calls with DHS and advise DHS regarding the risk to patient’s health and potential for harm posed by identified cybersecurity threats and vulnerabilities.
Earlier this month, CDRH Director Dr. Jeff Shuren, published an FDA Voices perspective calling attention to the Center’s commitment to advancing medical device cyber safety and security in both the pre- and post-market settings. We are proactively addressing the risk to medical devices in the face of an evolving cyber threat landscape with the release of the premarket cybersecurity guidance update on October 18, 2018, to better protect devices from compromise; maintain device functionality in a safe mode even in the event of an attack; and reduce potential risks to patients — a priority identified in the April 2018 FDA Medical Device Safety Action Plan.
Although the FDA issued guidance providing recommendations for device cybersecurity information in premarket submissions in 2014, the rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations necessitated an updated approach. We will hold a public Workshop in January 2019, to discuss the draft guidance “Content of Premarket Submissions for Management of Cybersecurity Medical Devices.”
Building strategic alliances
Creating an environment of shared responsibility means seeking out new engagements — formally and informally — with diverse stakeholders, including other government agencies, industry, healthcare delivery organizations, cybersecurity researchers and more. These relationships have provided us with insights into complex, device lifecycle challenges; they have also brought forth opportunities to leverage potential new tools and multi-pronged approaches to mitigate current gaps.
As a recent example, MITRE, with support from the FDA, released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook that can serve as a customizable tool for health care delivery organizations to aid in their preparedness and response activities for medical device cyber incidents.
Additionally, we have just executed 2 Memorandum of Understandings (MOUs) for creation of new medical device vulnerability information sharing analysis organizations (ISAOs), in support of the regulatory incentive for manufacturers introduced in our postmarket cybersecurity guidance. These are 3-way MOUs involving the FDA, the ISAO entity and the Healthcare ISAC. Establishing these 2 new medical device ISAOs — MedISAO and Sensato — further builds upon our ongoing, key foundational relationship with the Healthcare ISAC (H-ISAC), an established forum for coordinating, collaborating and sharing vulnerability and threat information across healthcare and public health critical infrastructure. These 2 ISAOs will help expand medical device vulnerability information sharing to meet the diverse needs of small and large organizations. Information that is shared, both internal and external to the ISAO organization, allows stakeholders across the healthcare spectrum to have increased awareness of cybersecurity vulnerabilities and threats, and thereby take a more proactive approach in addressing medical device concerns, working together with manufacturers.
Another example of our efforts to advance and support regulatory science for medical device cybersecurity is our participation in the Medical Device Innovation Consortium (MDIC). This non-profit, public-private partnership brings together industry, government, professional societies and advocacy organizations, to add value to the intersecting needs of the medical device industry, to promote the total product lifecycle of a medical device and to improve patient access to innovative products.
On October 1st, MDIC released a report on medical device cybersecurity and advancing coordinated vulnerability disclosure. This report advances an incredibly important topic in medical device cybersecurity — the adoption of coordinated vulnerability disclosure policies and processes. The FDA appreciated the opportunity to work with MDIC in developing this paper to better understand the barriers impeding adoption and to help influence conversations among medical device manufacturers about the value of working with security researchers and others who identify vulnerabilities. Knowing this information is critical, so that we can address the cybersecurity risk to medical devices in a timely and coordinated manner. We look forward to participating on November 20th in an MDIC webinar to foster further discussion and understanding of this report.
Another notable partnership is the FDA’s participation in the Healthcare and Public Health Sector Coordinating Council (HSCC). The FDA co-chairs the Medical Technology and Health IT Task Group along with forward-leaning industry and health care delivery organization (HDO) leads. This HSCC task group will be releasing a Joint Security Plan this fall that describes best practices for implementing medical device cybersecurity and resilience recommendations, and further demonstrates the capabilities of medical device manufacturers working together with healthcare provider organizations to articulate a common vision to further safeguard patients. We are proud of these partnerships and alliances that demonstrate the far-reaching potential of collaboration across the public and private sector.
Fortifying our long-term commitment
Demonstrative of the FDA’s unwavering commitment to making cybersecurity a top priority for the agency, additional resources have been requested to continue building our medical device cybersecurity program. In the FDA’s Fiscal Year 2019 Budget, we proposed to create a Center of Excellence for Digital Health. This Center of Excellence would help establish more efficient regulatory paradigms, consider building new capacity to evaluate and recognize third-party certifiers, and support a cybersecurity unit to complement the advances in software-based devices.
A report just issued by the Office of Inspector General on November 1, 2018, highlights the importance of establishing and maintaining a robust, collaborative framework for addressing medical device cybersecurity. As we’ve noted in our response to the report, it provides an incomplete and inaccurate picture of the FDA’s oversight of medical device cybersecurity. The FDA has been and continues to work with the medical device industry and other stakeholders to proactively address emerging cybersecurity threats to medical devices in a way that puts patient safety first. The FDA has implemented several of the recommendations in the OIG report. Like the evolving nature of the devices regulated — and cybersecurity threats faced — the FDA’s regulatory approach is not static. We have, and we will continue to, refine and expand the regulatory framework we have put in place.
This work will continue to drive advances in the increasingly complex medical device ecosystem enabling us as a collective to better anticipate cybersecurity risks and apply mitigation strategies early in the total product lifecycle of a device as well as with increased agility throughout the device lifespan as is necessary. We know this work doesn’t end; new challenges will emerge along with development of highly innovative and promising technologies that benefit patients. Fortified by these contributions and advances in capabilities, we will continue to strive tirelessly to further move the needle towards a more cybersecure, safer and resilient medical device ecosystem.
While National Cybersecurity Awareness Month has just concluded, we believe every day is a time to shine a light on the danger that cyber threats pose to our health, economy, and public infrastructure, as well as a time to raise awareness about steps we can all take to mitigate and prevent future attacks. This year’s National Cybersecurity Awareness Month Presidential Proclamation calls upon government and industry to work together, share information, build greater trust, and lead the national effort to protect and enhance the resilience of the Nation’s cyber infrastructure.
For the FDA, it’s also a time to highlight the mission critical work we do every day to protect and promote the public health by fostering collaboration with the private sector, our colleagues across the Federal government, independent security researchers, healthcare providers, other stakeholders and patients.