FDA offers prescription for security of medical devices

Agency recommends manufacturers develop postmarket regulations to lessen cyber risks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The U.S. Food and Drug Administration has taken another notable step toward pushing medical device manufacturers to address how their products could be hacked, putting patients at risk.

The FDA’s draft guidance for postmarket medical devices, issued earlier this year, essentially asks manufacturers to develop a cybersecurity risk-management program addressing vulnerabilities in their existing products.

Free resource: How to build customer loyalty by keeping data secure

Like a similar 2015 FDA recommendation directed at premarket design and development of medical devices, this draft guidance focused on medical devices already in the marketplace is both nonbinding and intentionally narrow in scope.

But it does point the way for medical device manufacturers to begin taking more seriously how extension of the Internet of Things deeper in their products can potentially put patients in harm’s way.

The FDA recommendations apply only to already-regulated medical devices such as implantable defibrillators and insulin-infusion pumps—and not to electronic health records and other information systems.

“What (the FDA) could do better is expand the scope to include guidance for other components of medical devices,” says Roubinder Singh, senior security solutions architect at Mocana, a provider of security solutions for the Internet of Things.

Guidelines don’t encompass enough

David Holtzman, vice president of privacy and security compliance services at health care security and privacy provider CynergisTek, says the narrow scope of the FDA guidance has an unintended consequence—leaving out the problem created by integrated systems.

“The majority of data breaches that we are aware of have not involved FDA-regulated devices,” he says. “By and large, the breaches we hear about concern information systems—but these information systems can be infiltrated through the regulated medical devices, and that’s a concern.”

Holtzman disagrees with some experts who say the FDA is right not to over reach beyond the scope of harm to human health. The medical devices are designed to integrate into the clinical settings that are managed by the information systems—and that integration opens up the entire enterprise to cybersecurity threats, he says.

“This is the first step toward recognition of the threat,” he says. “My hope would be that the vendors and the FDA would come to realize that we would all benefit if this guidance was made mandatory.”

Peter Graham, Mocana vice president
Peter Graham, Mocana vice president

All bark, no bite

Another criticism is that there is no enforcement mechanism backing the limited best practices called out by the FDA.

“There’s really no teeth behind it,” says Peter Graham, a Mocana vice president. “Traditionally what’s missing from these documents is the implementation source.”

The lack of details leaves things up for interpretation if companies are facing enforcement action, says Jana Landon, founder and chair of the e-discovery team at the law firm Stradley Ronon Stevens & Young.

Jana Landon, founder and chair of the e-discovery team at Stradley Ronon Stevens & Young
Jana Landon, founder and chair of the e-discovery team at Stradley Ronon Stevens & Young

“The standard right now doesn’t have a lot of particularity, so what’s reasonable under the standard is up to the individual investigator,” she says.

The FDA recommendations for manufacturers include:

  • Adopting the National Institutes of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity,” which was developed as a result of President Obama’s 2013 executive order to improve critical infrastructure cybersecurity;
  • Developing a process for assessing risk based on how the vulnerability can be exploited and how severely that would impact patients;
  • Practicing “good cybersecurity hygiene,” as well as remediating vulnerabilities “to reduce the risk of compromise to essential clinical performance to an acceptable level”
  • Defining essential clinical performance to develop cybersecurity risk mitigation;
  • Providing customers and the user community with information on workarounds, fixes and residual cybersecurity risks.

Shared learning

The FDA also is placing an emphasis on participation in information-sharing analysis organizations, which were part of the 2015 presidential executive order. For manufacturers that participate in information sharing, the FDA will not enforce certain reporting requirements under the guidance.

Rich Campagna, Bitglass vice president of products and marketing
Rich Campagna, Bitglass vice president of products and marketing

Rich Campagna, vice president of products and marketing at cloud access security broker Bitglass, says the information-sharing aspect is positive. He points to examples of other industries, like financial services, that are learning from one another about vulnerabilities and exploits.

“It allows for mutual learning and accelerates things,” he says. “You don’t have to learn from your own mistakes.”

Mocana’s Singh says the breadth of medical devices will present challenges for manufacturers looking to implement the guidance. Each device is different in terms of the operating system, memory cards, chip etc.—which means each security patch is different as well.

“The guidance does a good job describing what manufacturers should do, but the challenge would be how to go about implementing that process, or how to go about identifying vulnerabilities and then fixing them,” he says.

Problem more complex

And those patches are just the first step.

“Since these are postmarket devices, it still comes down to the customers to actually implement these patches in a timely manner,” Campagna says.

Oftentimes, he says, health care organizations don’t have the infrastructure they need to support all the devices. But they also are concerned about impacts on functionality.

“A critical patch could break something else—and those issues cause people to slow down adoption of the patch,” he says.

Compounding the problem, according to Landon, is the fact that it could take a decade or more for a product to make it to market—and many existing devices also are very outdated.

“You need to have the hardware and software on the machine that can actually support a patch, and that’s part of the problem,” she says.

More stories related to the Internet of Things:
‘Side channel attacks’ expose sensitive data collected by IoT devices
Three trends in health care call for extra dose of cybersecurity
Internet of Things facilitates health care data breaches