FDA offers prescription for security of medical devices

Agency recommends manufacturers develop postmarket regulations to lessen cyber risks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The U.S. Food and Drug Admin­is­tra­tion has tak­en anoth­er notable step toward push­ing med­ical device man­u­fac­tur­ers to address how their prod­ucts could be hacked, putting patients at risk.

The FDA’s draft guid­ance for post­mar­ket med­ical devices, issued ear­li­er this year, essen­tial­ly asks man­u­fac­tur­ers to devel­op a cyber­se­cu­ri­ty risk-man­age­ment pro­gram address­ing vul­ner­a­bil­i­ties in their exist­ing products.

Free resource: How to build cus­tomer loy­al­ty by keep­ing data secure

Like a sim­i­lar 2015 FDA rec­om­men­da­tion direct­ed at pre­mar­ket design and devel­op­ment of med­ical devices, this draft guid­ance focused on med­ical devices already in the mar­ket­place is both non­bind­ing and inten­tion­al­ly nar­row in scope.

But it does point the way for med­ical device man­u­fac­tur­ers to begin tak­ing more seri­ous­ly how exten­sion of the Inter­net of Things deep­er in their prod­ucts can poten­tial­ly put patients in harm’s way.

The FDA rec­om­men­da­tions apply only to already-reg­u­lat­ed med­ical devices such as implantable defib­ril­la­tors and insulin-infu­sion pumps—and not to elec­tron­ic health records and oth­er infor­ma­tion systems.

What (the FDA) could do bet­ter is expand the scope to include guid­ance for oth­er com­po­nents of med­ical devices,” says Roubinder Singh, senior secu­ri­ty solu­tions archi­tect at Mocana, a provider of secu­ri­ty solu­tions for the Inter­net of Things.

Guide­lines don’t encom­pass enough

David Holtz­man, vice pres­i­dent of pri­va­cy and secu­ri­ty com­pli­ance ser­vices at health care secu­ri­ty and pri­va­cy provider Cyn­er­gis­Tek, says the nar­row scope of the FDA guid­ance has an unin­tend­ed consequence—leaving out the prob­lem cre­at­ed by inte­grat­ed systems.

The major­i­ty of data breach­es that we are aware of have not involved FDA-reg­u­lat­ed devices,” he says. “By and large, the breach­es we hear about con­cern infor­ma­tion systems—but these infor­ma­tion sys­tems can be infil­trat­ed through the reg­u­lat­ed med­ical devices, and that’s a concern.”

Holtz­man dis­agrees with some experts who say the FDA is right not to over reach beyond the scope of harm to human health. The med­ical devices are designed to inte­grate into the clin­i­cal set­tings that are man­aged by the infor­ma­tion systems—and that inte­gra­tion opens up the entire enter­prise to cyber­se­cu­ri­ty threats, he says.

This is the first step toward recog­ni­tion of the threat,” he says. “My hope would be that the ven­dors and the FDA would come to real­ize that we would all ben­e­fit if this guid­ance was made mandatory.”

Peter Graham, Mocana vice president
Peter Gra­ham, Mocana vice president

All bark, no bite

Anoth­er crit­i­cism is that there is no enforce­ment mech­a­nism back­ing the lim­it­ed best prac­tices called out by the FDA.

There’s real­ly no teeth behind it,” says Peter Gra­ham, a Mocana vice pres­i­dent. “Tra­di­tion­al­ly what’s miss­ing from these doc­u­ments is the imple­men­ta­tion source.”

The lack of details leaves things up for inter­pre­ta­tion if com­pa­nies are fac­ing enforce­ment action, says Jana Lan­don, founder and chair of the e-dis­cov­ery team at the law firm Stradley Ronon Stevens & Young.

Jana Landon, founder and chair of the e-discovery team at Stradley Ronon Stevens & Young
Jana Lan­don, founder and chair of the e-dis­cov­ery team at Stradley Ronon Stevens & Young

The stan­dard right now doesn’t have a lot of par­tic­u­lar­i­ty, so what’s rea­son­able under the stan­dard is up to the indi­vid­ual inves­ti­ga­tor,” she says.

The FDA rec­om­men­da­tions for man­u­fac­tur­ers include:

  • Adopt­ing the Nation­al Insti­tutes of Stan­dards and Technology’s “Frame­work for Improv­ing Crit­i­cal Infra­struc­ture Cyber­se­cu­ri­ty,” which was devel­oped as a result of Pres­i­dent Obama’s 2013 exec­u­tive order to improve crit­i­cal infra­struc­ture cybersecurity;
  • Devel­op­ing a process for assess­ing risk based on how the vul­ner­a­bil­i­ty can be exploit­ed and how severe­ly that would impact patients;
  • Prac­tic­ing “good cyber­se­cu­ri­ty hygiene,” as well as reme­di­at­ing vul­ner­a­bil­i­ties “to reduce the risk of com­pro­mise to essen­tial clin­i­cal per­for­mance to an accept­able level”
  • Defin­ing essen­tial clin­i­cal per­for­mance to devel­op cyber­se­cu­ri­ty risk mitigation;
  • Pro­vid­ing cus­tomers and the user com­mu­ni­ty with infor­ma­tion on workarounds, fix­es and resid­ual cyber­se­cu­ri­ty risks.

Shared learn­ing

The FDA also is plac­ing an empha­sis on par­tic­i­pa­tion in infor­ma­tion-shar­ing analy­sis orga­ni­za­tions, which were part of the 2015 pres­i­den­tial exec­u­tive order. For man­u­fac­tur­ers that par­tic­i­pate in infor­ma­tion shar­ing, the FDA will not enforce cer­tain report­ing require­ments under the guidance.

Rich Campagna, Bitglass vice president of products and marketing
Rich Cam­pagna, Bit­glass vice pres­i­dent of prod­ucts and marketing

Rich Cam­pagna, vice pres­i­dent of prod­ucts and mar­ket­ing at cloud access secu­ri­ty bro­ker Bit­glass, says the infor­ma­tion-shar­ing aspect is pos­i­tive. He points to exam­ples of oth­er indus­tries, like finan­cial ser­vices, that are learn­ing from one anoth­er about vul­ner­a­bil­i­ties and exploits.

It allows for mutu­al learn­ing and accel­er­ates things,” he says. “You don’t have to learn from your own mistakes.”

Mocana’s Singh says the breadth of med­ical devices will present chal­lenges for man­u­fac­tur­ers look­ing to imple­ment the guid­ance. Each device is dif­fer­ent in terms of the oper­at­ing sys­tem, mem­o­ry cards, chip etc.—which means each secu­ri­ty patch is dif­fer­ent as well.

The guid­ance does a good job describ­ing what man­u­fac­tur­ers should do, but the chal­lenge would be how to go about imple­ment­ing that process, or how to go about iden­ti­fy­ing vul­ner­a­bil­i­ties and then fix­ing them,” he says.

Prob­lem more complex

And those patch­es are just the first step.

Since these are post­mar­ket devices, it still comes down to the cus­tomers to actu­al­ly imple­ment these patch­es in a time­ly man­ner,” Cam­pagna says.

Often­times, he says, health care orga­ni­za­tions don’t have the infra­struc­ture they need to sup­port all the devices. But they also are con­cerned about impacts on functionality.

A crit­i­cal patch could break some­thing else—and those issues cause peo­ple to slow down adop­tion of the patch,” he says.

Com­pound­ing the prob­lem, accord­ing to Lan­don, is the fact that it could take a decade or more for a prod­uct to make it to market—and many exist­ing devices also are very outdated.

You need to have the hard­ware and soft­ware on the machine that can actu­al­ly sup­port a patch, and that’s part of the prob­lem,” she says.

More sto­ries relat­ed to the Inter­net of Things:
Side chan­nel attacks’ expose sen­si­tive data col­lect­ed by IoT devices
Three trends in health care call for extra dose of cybersecurity
Inter­net of Things facil­i­tates health care data breaches


Posted in Data Security, Featured Story