FDA Reveals Steps to Bolster Medical Device Cybersecurity

'Playbook' Prepared; Data Sharing Efforts Planned

In its ongoing quest to improve the state of medical device cybersecurity, the Food and Drug Administration has announced a number of key moves - including the release of a new security playbook, plans to leverage information sharing and analysis organizations, and an effort to update its 2014 premarket guidance for manufacturers.

See Also: Live Webinar | Leveraging AI in Next Generation Cybersecurity

In a statement Monday, FDA Commissioner Scott Gottlieb, M.D., says the efforts are aimed at addressing growing cybersecurity threats and potential related patient safety worries for network-connected medical devices.

"As the number of cyberattacks has increased, we've heard concerns about the potential for cybercriminals to attack patient medical devices," Gottlieb says.

Cybersecurity researchers continue to identify device vulnerabilities in non-clinical, research-based settings, demonstrating how bad actors could gain the capability to exploit these same weaknesses, thereby acquiring access and control of medical devices, Gottlieb notes.

"The FDA isn't aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient. But the risk of such an attack persists," he says.

"We understand that the threat of such an attack can cause alarm to patients who may have devices that are connected to a network. We want to assure patients and providers that the FDA is working hard to be prepared and responsive when medical device cyber vulnerabilities are identified."

Shared Responsibility

The FDA's latest efforts to address these cybersecurity concerns are built on "a foundation of shared responsibility with [healthcare sector] stakeholders," the FDA says in its statement.

Those efforts include:

The launch of a cybersecurity "playbook" for healthcare delivery organizations, prepared with Mitre Corp., which is focused on promoting cybersecurity readiness, and a new playbook for FDA's internal staff;

The signing of two "memoranda of understanding" with the National Health Information Sharing and Analysis Center (recently renamed H-ISAC). One of those agreements is between FDA, H-ISAC and the Sensato Critical Infrastructure ISAO, run by Sensato Cybersecurity Solutions. The other agreement is between FDA, H-ISAC and MedISAO, an organization composed of members of the medical device community. Each of the partnerships is aimed at increasing industry transparency about medical device cybersecurity threats and other issues;

Discussions between FDA and U.S. Department of Homeland Security about executing a "memorandum of agreement" related to their inter-agency work on medical device cybersecurity.

Plans for FDA in the coming weeks to publish a significant update to its 2014 premarket medical devices cybersecurity guidance to reflect FDA's "most current understandings of, and recommendations regarding, this evolving space."

Guidance Updates

FDA says the upcoming new draft guidance will highlight the utility of providing customers and users with a "cybersecurity bill of materials" - a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities.

"Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device customers and users are able to respond quickly to potential threats," FDA writes.

New Playbooks

In the meantime, the new playbook, developed by Mitre Corp. with support from FDA, describes the types of readiness activities that will enable healthcare delivery organizations to be better prepared for a cybersecurity incident involving their medical devices, FDA says.

"These include steps such as developing a medical device inventory and conducting training exercises. The goal is to give product developers more opportunity to address the potential for large-scale, multipatient impact that may raise patient safety concerns," FDA says.

The agency also developed its own internal playbook to help its staff address cybersecurity threats, vulnerabilities and incidents. "Our internal playbook establishes an effective and appropriate incident plan that's flexible and clear. It aims to help the agency respond in a timely manner to medical device cybersecurity attacks - mitigating impacts to devices, healthcare systems and ultimately, patients," FDA says.

Ongoing Efforts

The latest efforts revealed on Monday by FDA are in addition to a request for a budget in fiscal 2019 to build a new Center of Excellence for Digital Health containing a medical device cyber unit.

"This Center of Excellence would help establish more efficient regulatory paradigms, consider the building of new capacity to evaluate and recognize third-party certifiers and support a cybersecurity unit to complement the advances in software-based devices," FDA says.

Needed Help

Ben Ransford, president of Virta Labs, a healthcare cybersecurity firm, says the keystone of FDA's latest plans is the playbook for healthcare delivery organizations.

One thing that sticks out very clearly in the new playbook is the emphasis on defining the appropriate leadership roles for dealing with medical device cybersecurity incidents, Ransford says. "Healthcare organizations have needed a roadmap like this for a while," he adds.

The playbook notes, for example, that during the incident preparedness phase, a senior leadership champion, such as a CISO, may officially sanction through policy the cybersecurity decisions and actions that the organization's incident management team takes during an incident, such as curtailing device usage. "During a cyberattack, there is not always time to make calls through a chain of command; accordingly, to facilitate timely decision making during an incident, clarify, in advance, who has what authority," the playbook says.

Another important point that the playbook draws attention to "is the need to quickly understand what's going on during an event, which means healthcare delivery organizations need to learn how to win at security basics," Ransford says.

"If the industry continues on its current path, in the next several years we're going to see avoidable security failures stemming specifically from overspending on buzzwords in an attempt to paper over the basics," he says. "Artificial intelligence and blockchain can't save you if your cybersecurity ultimately boils down to one person babysitting black boxes."