Unique partnership between FDA and DHS protects medical devices


We have entered a new level of connectivity, convenience and efficiency with the Internet of Things (IoT). The healthcare community is experiencing this growth and with the availability of data, improved patient care is imminent. With these advancements, however, comes greater risk. The majority of connected medical devices were designed, built and purchased around ten years ago. Likewise, the cybersecurity threat vectors from a decade ago were much different than today. This is a multi-billion-dollar problem for the healthcare industry.

“An overwhelming majority of providers — 96 percent — point to the manufacturer as the cause of many of these device-related security issues,” according to Health IT Magazine. Out-of-date operating systems or the inability to patch devices are primary factors for the security issues.

In this edition of Cyber Chat with Sean Kelley, Sean sits down with Dr. Suzanne Schwartz, associate director for Science & Strategic Partnerships at the Center for Devices and Radiological Health, and Christopher Butera, deputy director for Cyber Threat Detection and Analysis at the National Cybersecurity and Communications Integration Center.

In October 2018, the FDA released a medical device security playbook that includes a roadmap to secure medical devices.

Advertisement

The FDA works closely with the vendors “to make sure that they’re able to patch these systems,” Schwartz said. “But the other thing I want to mention is we try to preach the in-depth defense scenario where we have good segmentation between medical devices and IT devices.”

“Medical devices are exploited in such a way where they’re not usually connected directly to the internet,” she added. “Rather, they’re often connected to an enterprise IT environment and results in the emergence of infection or compromised IT environment. Nonetheless, putting in place proper segmentation and intrusion detection — among other effective controls between the IT network and the medical device segments — happens to be a vital consideration we are trying to get owners and operators to do. ”

Schwartz also said medical device manufacturers are receptive to the federal government’s guidance.

“FDA has released policy around what our expectations are about the maintenance of devices through its lifecycle, which also includes management of cybersecurity through the lifecycle,” she said.

Schwartz said it becomes important to balance the concepts of maintaining, servicing and continuously managing the vulnerability and security of those devices.

“However, at the same time, we must be fostering the development of new devices which are going to have significant security built into them. With this, the legacy issue which we are facing today will be such that will eventually go away,” Schwartz said.

NCCIC’s Butera said the FDA’s playbook “formalizes the working relationship that we’ve had for some years, specifically around vulnerability coordination with medical device vendors and this also includes the research community. We coordinate a wide range of cybersecurity advice, and when we have the kind that needs specific things — for example, the impact to patient safety and things in a similar category — those are the times when we coordinate with FDA and other related experts because DHS aren’t medical professionals.”

Butera said when a specific cyber vulnerability presents itself in such a way that patients’ safety will be affected, DHS works with FDA to access relevant answers and to disseminate required information to the general public.

November 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act, replacing the National Protection and Programs Directorate.

“We’re excited to have an agency name [CISA] the public can understand and relate with,” Butera said. “It creates a central place regarding coordination for all cyber issues and [puts us in a position to be] a leader in emergency communications and infrastructure security [as well as] the one-stop shop to be the risk manager for the nation.”

Takeaways:

  • DHS is responsible for securing all 16 critical infrastructure sectors including public health, and this also involves trying to understand what these vulnerabilities are, and what the impacts are of telehealth.
  • Cybersecurity is a critical component of that premarket review process of medical devices. FDA issued guidance in 2014 on cybersecurity for medical devices which tells manufacturers FDA’s expectations regarding their premarket submissions.
  • FDA recently released updated premarket guidance that requires medical device manufacturers to incorporate security into medical devices before they go onto the market.
  • FDA highlighted specific themes in its premarket guidance: ‘The trustworthiness of these devices,’ ‘transparency around the devices,’ and ‘communication of the parts in those devices and its resilience.’
  • Cybersecurity and Infrastructure Agency Act of 2018 created a central place to coordinate cyber issues and to manage emergency communications and infrastructure security.
  • Medical device approval process can vary from several months to years depending on the type of data needed.