FDA exec to medical device manufacturers: 'Bake security into the design'
As more networked medical devices linked up, and as hackers ramp up their attack attempts on connected technologies, FDA is evolving in its approach to device security, said Suzanne Schwartz, MD, associate director for science and strategic partnerships at the agency's Center for Devices and Radiological Health.
FDA's mission is "harnessing the collective will and creating a community of multi-stakeholder engagement," said Schwartz, speaking Wednesday at the Healthcare Security Forum in Boston.
In a fast-evolving ecosystem of connected medical devices, FDA is taking a hard look at security gaps and safety risks. Manufacturers must also work to continually assess and address the cyber risks of medical devices on the market, she said.
"The thrust of what we do has to be proactive and forward-leaning," said Schwartz. "We don't want to be reactive."
FDA is working to "foster a culture of continuous quality improvement," she added, with an eye toward total product life cycle.
Toward that end, it has established a risk management program that incorporates cybersecurity provisions from the NIST and encourages communications with groups such as NH-ISAC to share emerging information about cyber vulnerabilities and threats.
By engaging in such collaboration and coordinated disclosure, the hope is to then be able to deploy mitigations that address cybersecurity risks as early as possible, before they're exploited, said Schwartz.
"Many vulnerabilities are identified later on, during the use of the device," she said. "The key is to have a process in place to share that information."
Hackers are "collaborating" as they work to undermine devices and systems, she said. "We need to do so as well."
But it's best, of course, for devices to be safe from exploitation in the first place, said Schwartz.
Despite the "myth" that cybersecurity of medical devices is voluntary for manufacturers and not enforceable, she said, vendors are legally required to comply with all applicable regulations and are subject to pre- and post-market cybersecurity guidance that articulates a "comprehensive, structured and systematic" cybersecurity risk management program.
Weaknesses in system architecture and software leave far too many devices vulnerable to threats that could directly impact hospital network operations, data integrity or patient safety. So manufacturers must work to "bake security into the design," said Schwartz. "It's much easier to bake it in than to bolt it on as an afterthought."
Read our coverage of HIMSS Healthcare Security Forum in Boston.
⇒ Healthcare must move from risk to resilience, Tom Ridge says
⇒ Equifax hack: What cybersecurity pros are saying about the breach
⇒ Slow breach detection, patching, operational snags handcuff healthcare security
⇒ As hackers become more destructive, security needs an all-hands approach
⇒ Obama's cyber czar warns of 3 troubling security trends
⇒ Old legacy devices pose greatest security risk, experts say
⇒ HHS CISO: 3 things hospitals should do right now to strengthen cybersecurity
⇒ Why hospitals should join an ISAC immediately
⇒ 5 common HIPAA compliance pitfalls for healthcare orgs to avoid
⇒ 'Cybersecurity' term might be scaring off young talent
⇒ Cybersecurity is hard, got it? But let's stop blaming hospitals for every breach