Cybersecurity is a moving target across every industry. Although not a new concept in medical devices, the maturity level is comparatively low versus other business sectors. One of the biggest issues that devices face is postmarket vulnerability—the longer a product is on the market, the greater the opportunity for threats. And taking into consideration the industry’s low maturity level in this area, many devices already on the market were not built with the intent of having robust security.
“It’s the dynamic nature of these issues that I think lends cybersecurity to be such a challenge for us, because [of the] dynamic threats—in other words, we ship a device into the field and later we learn of a vulnerability and have to go mediate that vulnerability,” said Eric Soederberg, president and CEO of Sunrise Labs at the MedTech Intelligence mHealth for Medical Device Manufacturers conference last month. “That requires us to go fix things in the field, and maybe even plan to do that on a regular basis. And changing something in the field is something that, as a product development person working on medical devices, you spend your whole career trying to avoid. This is a whole new mindset.”
In October 2014, FDA held its first workshop on cybersecurity and released a premarket submissions guidance document for managing cybersecurity in devices. With the recent issuance of a draft guidance on postmarket cybersecurity management in devices, it’s clear that the agency is trying to move toward a stronger and more mature state to address current and future vulnerability concerns.
“There isn’t an expectation that every time a new threat is identified or a vulnerability is identified that FDA expects manufacturers to come to the agency with new submission,” said Susan Schwartz, M.D., associate director for science & strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures at CDRH, who participated in an expert panel during the conference. “We’ve provided enough latitude that should incentivize their behavior.” What the agency would like to see, Schwartz added, is for larger organizations that are championing cybersecurity to help the smaller groups, along with industry adoption of vulnerability disclosure agreements.
Where medical device manufacturers can have the greatest impact on addressing cybersecurity concerns is obviously, similar to any consideration that goes into the product development process, during the design concept phase. Instead of taking a bolt-on approach, manufacturers should design-in security as part of this process. They should also use threat modeling to understand how they need to protect the device, and do so on a constant basis because threats are changing all the time, recommended Colin Morgan, head of global product security at Johnson & Johnson. Is the device used in the hospital or does a patient wear it on a daily basis? “Set core requirements that aligns to the FDA guidance and NIST,” said Morgan. “If you’re passing patient data, you should always encrypt it.”
When looking at software, open source has grown in popularity over the past few years, because it provides more flexibility versus purchasing off-the-shelf products, but with it comes a greater risk of vulnerability, said Morgan. Software moves quickly, and open source packages are maintained faster, so companies need to maintain constant vigilance to ensure they’re running the latest version. Companies should have a good handle on the type of software that is built into their products in order to understand how they can best manage the systems.
Currently, the biggest healthcare threats are breaches related to personally identifiable information (PII; especially bulk PII breaches), protected health information (PHI), and payment card information (PCI). With the majority of cybersecurity threats coming from overseas, the FBI is taking proactive measures to mitigate the threat, using a whole-of-government approach. According to John Riggi, cyber outreach section chief of the FBI’s Cyber Division, the FBI’s role in cybersecurity is three-pronged: investigation, attribution and disruption. He encourages device manufacturers to establish a relationship with their local field FBI office before an incident happens. “Those trusted personal contacts are absolutely critical during a crisis, should you have an incident,” said Riggi. “It humanizes the FBI—you understand what our focus is and the fact that we’re looking to treat you, if you are the subject of an intrusion, as a victim first…In the preincident mode, we’re looking to share information [and] intelligence, which may help the company defend itself.”
Every FBI field office has a cyber task office (there are currently 56 field offices and 400 sub-offices). Riggi encouraged that companies find their local field office on the FBI’s website and once located, reach out to the cyber taskforce supervisor. The agency also has a Cyber Watch (CyWatch) center that companies can contact if they uncover an intrusion or loss of data (the center is open 24 hours a day/7 days a week at 855-292-3937). “The best time to make friends is not when you need them, so that’s why we highly encourage having those relationships first,” said Riggi. “Should you have a problem, the FBI can respond in a multi-tiered manner.” At the local level, the agency has cyber-investigators, computer analysis, and forensic teams who act as the “first responders” to the problem, and should a major intrusion of national significance occur, the FBI will deploy national resources.
Riggi also clarified that the FBI’s role does not necessarily involve FDA when it investigates an intrusion. “We’re not the regulators, and we’re not calling the regulators unless there’s a health and safety issue.”
Although the cybersecurity environment for medical devices is particularly complex at the moment, don’t expect to see specific regulations any time soon. “Our [FDA’s] position [is that]—by alignment with the quality system regulation, we don’t see a future need for regulation happening with regards to medical device security,” said Schwartz. The agency instead believes in taking a flexible approach via guidance, which enables technologies that are constantly evolving and advancing. “There’s a lot of discussion about this issue—if it’s not a regulation, how can you enforce it?” said Schwartz. “If it’s in the guidance, we still expect manufacturers to follow it.”