Post by, Moshe Ben Simon and Anthony James
The U.S. Food and Drug Administration has issued non-binding guidance on protecting medical devices against cyber security threats. This document was issued in draft for comment almost a year ago, and it was issued as final guidance on December, 28, 2016. Earlier guidance on medical device premarket cyber security was issued in October 2014.
The FDA understands the problem. After considerable analysis and review, the FDA views medical device manufacturers as central to combating cyber security threats. Medical device manufacturers are highly encouraged to “design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.” 1
Manufacturers need to build out programs that address the need for comprehensive cyber security over the lifecycle of their products. They need to understand the level of potential risk that vulnerabilities bring to patients and monitor and rapidly detect those vulnerabilities. It is critically important that manufacturers work with the cyber security industry and other key ecosystem members to receive information on current threats rapidly and develop the necessary countermeasures to mitigate them, before threats can cause widespread harm within the broader population of installed devices.
In counterbalance to the FDA’s non-binding recommendation, the health care community is still directly responsible for cyber security on a day-to-day basis. Health-care entities are required under HIPAA to protect patient data; perhaps the incidental benefit of this is increased patient safety, although we have not seen any evidence of direct attacks against patients.
There are more than 6500 medical device companies in the United States alone,2 and millions of installed medical devices. Life cycles for these devices may exceed five-to-ten years. Older devices with embedded CPUs and older, unprotected operating systems have many vulnerabilities; it is still the responsibility of health-care providers to ensure that these legacy devices are resilient enough to provide the robust patient-data protection required under HIPAA.
Despite the FDA’s responsible and timely steps, healthcare providers and major hospitals will still operate in an environment of sophisticated cyber attackers and ransomware attacks for years to come. New cyber defense best practices and new technologies, such as deception, enable hospitals to address the risks of cyber challenges today.
The basic operating model has changed, and with it, the basic strategy. Health care providers must assume that sophisticated attackers cannot be kept out with certainty; attackers will find ways to penetrate the firewall and endpoints. Once attackers are inside, healthcare institutions must find ways to identify them, understand their intentions, and then stop the attacks and resume normal operations.
You can read the FDA blog on this topic in the FDA Voice, the author of which, Suzanne B. Schwartz, M.D., M.B.A., is the FDA’s Associate Director for Science and Strategic Partnerships at the Center for Devices and Radiological Health.