- Speech by
Scott Gottlieb, M.D.
Commissioner of Food and Drugs - Food and Drug Administration ( May 2017 - April 2019 )
Remarks by Scott Gottlieb, M.D.
Commissioner of Food and Drugs
Public Workshop: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
Silver Spring, Maryland
I want to begin by recognizing FDA’s medical device cybersecurity team, especially Dr. Jeff Shuren and Dr. Suzanne Schwartz, for their leadership on this important issue as well as their unwavering commitment to fulfilling FDA’s public health mission.
And I want to express my gratitude specifically for the team’s hard work despite very trying circumstances brought about by the government shutdown. I have been humbled by the dedication to mission shown by FDA staff throughout the Agency these past several weeks — especially as so many reported for duty, even without pay, to help ensure the health and welfare of our fellow Americans.
One of our first orders of business is this workshop today.
Ensuring the cybersecurity of connected medical devices is one of our most critical device safety challenges and priorities. As we have seen in recent years, the threat of cyber attacks is not theoretical. And the risk of patient harm — whether from a ransomware attack that interrupts a hospital’s operations, or a hack that compromises a patient’s device — is real.
But, we know that the solutions are not straightforward. Like the technology itself, they are not one-size-fits-all.
Today’s medical devices operate in diverse, often complex, environments — from the bustling hospital ICU, to the physician’s office, to the patient’s bedside. Devices also vary in complexity. And device users are a heterogeneous group, including clinicians, patients, and caregivers.
Against this backdrop, the FDA’s approach to device cybersecurity must be multifaceted. We must consider the implications of compromised devices across their lifecycle. And we must operate in an environment of shared responsibility, collaborating across government agencies, with industry, with security researchers, with patients, and with providers — in short, with all of you here today.
I’m proud of the FDA’s efforts and achievements last year, and I’m excited for how we’ll build on this momentum in the year ahead. As we move forward, our efforts will be guided by the principles of transparency, resiliency, and trustworthiness.
Transparency is an essential building block in cyber incident preparedness and response.
That’s why, last Fall, we issued a revised draft of our premarket guidance, including new recommendations for manufacturer transparency by means of a “cybersecurity bill of materials.”
This is, essentially, a list of the software and hardware components of a device that could be susceptible to vulnerabilities.
The concept was borne out of the FDA’s experience working with device users, such as hospitals and other provider groups, particularly in response to the WannaCry ransomware attack in 2017. We realized that a major challenge to efficient and timely threat response was that device users simply didn’t know what they had.
By providing this “bill of materials,” manufacturers would deliver much-needed transparency. A “bill of materials” would enable device users or owners, such as hospitals and health systems, to more efficiently evaluate their inventory; identify devices susceptible to cyber events; and prioritize risk mitigations accordingly. I know that one of the panels today will focus specifically on this concept, including the types of information and levels of detail that should be included. We look forward to the discussion and feedback.
We are also guided by the principles of resilience and trustworthiness because, while technology develops rapidly, devices (once purchased) may have a long life.
Today, one of our most critical cybersecurity challenges lies in addressing the safety risks posed by legacy devices. Many older devices were not built with cybersecurity in mind, and they may use insecure software, hardware and protocols, leaving them vulnerable to attack.
But, unlike our laptops and smartphones, many devices cannot simply be swapped out for newer models. Many required significant capital investments, and were intended for years (if not decades) of service. Although the hardware may be durable, many older generation devices were not designed with the ability to receive timely cybersecurity updates, including fixes and patches.
They are, quite simply, not resilient or trustworthy.
That’s a lesson we’re committed to carrying forward as we develop our approaches to ensuring device cybersecurity. It’s why we made resiliency and trustworthiness central themes of the updated draft premarket guidance.
And it’s why, this August, the FDA plans to participate again in DefCon’s “We ‘HEART’ Hackers Challenge” — a white hat hacker event. I know that Dr. Schwartz has already discussed the details of this year’s event. I want to add my voice in encouraging manufacturers to demonstrate their commitment to the principles of device resiliency and trustworthiness by volunteering to take the challenge and participate with their peers this year. And I want to recognize the extraordinary value that white hat hackers bring to the medical device ecosystem through efforts such as this one.
I also want to highlight the Health Care Sector Coordinating Council’s “Joint Security Plan,” which was released yesterday. The Plan articulates a consensus-based set of best practices for cyber-secure technology solutions for devices in a healthcare environment, providing a framework for manufacturers to assess their cybersecurity. In addition, it provides recommendations for hospitals to improve the security of their operations when purchasing and deploying medical devices on their networks. Developed by a partnership of government, industry, and provider groups, the Plan exemplifies what the FDA and others can achieve through effective collaboration.
Finally, on that concept of collaboration, as the FDA continues to expand our cybersecurity program and stay abreast of the evolving threat landscape, an important element will be engagement with clinicians and patients. A comprehensive approach to risk-based regulation must account for their perspectives and preferences.
For example, we must expand our collective efforts to increase clinicians’ awareness and understanding of potential cyber risks, underscoring how device performance may be affected and, in turn, patient safety.
In addition, we recognize that only patients live with their medical conditions, and they must make choices regarding their personal care. As a result, patients provide a unique perspective which, to date, has been underrepresented in discussions among scientists, developers, and regulators about how to address device cyber risks. To that end, I am pleased that one of our panels today will focus exclusively on the patient perspective. And we’ll continue to evaluate ways of eliciting and incorporating patient preference information into our regulatory approach to device cybersecurity.
Thank you again for your participation in this important workshop today, and for your collective efforts to enhance the security of medical devices.