By Heath C Renfrow, CISSP, C|CISO, C|EH, C|NDA
Since 2013, cyber professionals have been warning about the cyber risk and exposure healthcare organizations face from cyber-attacks on medical devices and software. As a result of these concerns the Health and Human Services (HHS) extended security and privacy rules to business associates, and the Federal Drug Administration (FDA) issued “guidance” on appropriate safeguards for reducing risk of cyber security incidents that compromised the confidentiality, integrity, and availability for both medical devices and healthcare organizations. This guidance was nothing more than a recommendation and had no punitive teeth to hold medical device manufacturers accountable to cyber security.
Over the past five years, there have been many incidents and warning flags that have emerged in regards to cyber risks and medical devices, from the Department of Homeland Security cyber alert to discontinue use of Hospira’s Symbiq Infusion System, to the first ever FDA cyber recall of the St. Jude Medical implantable cardiac device. Yet even with all of the warnings and public examples of cyber security vulnerabilities with medical devices, manufacturers continue to build medical devices with security as an afterthought.
Through the years the FDA has also felt the pressure from both the cyber security community, and healthcare communities to put enforceable cyber security regulation on the medical device manufacturer community, and after years of constant pressure, it appears the FDA is finally taking action.
The FDA on April 17, 2018, released a safety action plan that outlines several proposals for improvement of cyber security in medical devices. The report, labeled “Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health,” targets the improvement of safety of medical devices throughout their life cycle, which is extremely important, as some of these devices such as MRI machines have a very long lifespan, and continuous lifecycle support is needed. Some of the cybersecurity specific highlights the proposal is considering include:
- New post-market authority to require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified.
- Potential new premarket authorities to require firms to build the capability to update and patch device security into product’s design and to report this capability in the device’s premarket submission.
- Development of public-private partnership that would complement existing device vulnerability coordination and response mechanisms and serve as a resource for device makers and the FDA.
- The development of a “Software Bill of Materials” that must be provided to the FDA as part of the premarket submission and made available to medical device customers and users.
- Updated premarket guidance on medical device cybersecurity to better protect against moderate and major risks.
There are many challenges in protecting medical devices from cyber attacks, and it appears that the FDA has finally listened to the cyber and healthcare communities about those challenges and need for meaningful, impactful medical device cyber security regulation.
The announcement is a great first step in tackling that challenge, and we at LEO Cybersecurity fully support this effort. To learn how to incorporate the guidance into your existing cyber security program, please contact LEO Cyber Security today.