The U.S. Food and Drug Administration and the MITRE Corporation are working together to foster a more a collaborative approach to address the sometimes abject vulnerability of critical medical devices to cyberattack.
At HIMSS16, in fact, FDA director of emergency preparedness, operations and medical countermeasures Suzanne Schwartz, MD, and MITRE senior principal cybersecurity engineer Margie Zuk, senior principal will discuss those efforts during the session “Systemic Management of Medical Device Cyberscurity.”
Schwartz shared some thoughts on device security ahead of the conference.
Q: What basic security tactics do you recommend hospitals take?
A: We are looking to both manufacturers and healthcare delivery organizations to incorporate threat monitoring, cyber hygiene for better prevention of attacks and active responses to identified vulnerabilities. It's important for both manufacturers and healthcare delivery organizations to recognize the new reality today - hospitals and health care systems are under constant attempts at attack and intrusion of their networks. Protection of these systems, which contain highly sought after personal health information and personal identity information, means that medical devices need to be better secured as well.
Q: What are some of the biggest cyber threats today?
A: Malware and unintentional infections (i.e. an employee accidentally infecting a computer/network with malware). The prevalence of malware on networks — including in hospitals and other healthcare delivery organizations — is a primary concern. Medical devices that are vulnerable to these sorts of intrusions and that do not have appropriate cyber hygiene practices or vulnerability management policies built in pose a potential risk to the patient if their ability to function is impaired.
Q: What specifically is FDA doing in collaboration with MITRE to foster better clinical security?
A: Our work with MITRE began in the fall of 2014. Again, MITRE is a federally funded research and development center tasked with helping us at FDA advance the medical device security vision. They'll do so by evolving a medical device vulnerability ecosystem that will share relevant cybersecurity information among both government and private sector stakeholders.
How are we doing this? Well to start with, through stakeholder engagement and in-depth interviews across the country, developing a roadmap for implementing the medical device vulnerability ecosystem that will reflect agreed upon shareholder roles and responsibilities and ultimately, where this gets to is that developing and designing a "trusted environment" for collecting, analyzing and sharing medical device vulnerability and security information.
Going forward in 2016, we are excited to have MITRE's expert support in adapting the Common Vulnerability Scoring System to serve as a vulnerability assessment tool that would be meaningful to the clinical environment, and directly applicable to medical devices. We believe that having a common taxonomy that fits the needs of the healthcare setting where medical devices reside, and that takes into account specific considerations that are unique to use of these products will be of great benefit to stakeholders in advancing the state of medical device security.
Q: How has FDA’s thinking or strategies changed in recent years as threats have evolved?
A: The process of working with medical device manufacturers on this issue has been evolving over the last 10 years and continues to change today. Early challenges included getting to a basic, common understanding of who was responsible for ensuring cybersecurity of devices (it's shared), understanding the vulnerabilities users were experiencing and the challenges manufacturers were facing in trying to address them, the need for consistent standards, and the need for guidance clearly describing the FDA's thinking about how we expect manufacturers to demonstrate that they have addressed vulnerabilities from a total product lifecycle.
Current regulations also allow the FDA to take action against products that impact or potentially impact the health and safety of patients, when they do not function as originally intended.
The HIMSS16 session "Systemic Management of Medical Device Cybersecurity," will take place during HIMSS16 on March 2, 2106 from 2:30-3:30 in Marcello 4401 at the Sands Expo Convention Center.