FDA, MITRE offer tips for med device cybersecurity
Update: HIMSS20 has been canceled due to the coronavirus. Read more here.
Because threats and vulnerabilities cannot be eliminated, reducing cybersecurity risks is especially challenging – and medical device manufacturers and health care delivery organizations need to take steps to ensure appropriate safeguards are in place.
The U.S. Food and Drug Administration, in partnership with the MITRE Corporation, has already championed two initiatives to improve medical device cybersecurity preparedness and response.
The first is the development and use of a medical device cybersecurity sandbox to enable security research and technical evaluation of medical device vulnerabilities and potential mitigations across health systems, device manufacturers, and the FDA.
"The FDA recognizes the importance of having a medical system-of-systems environment, such as sandboxes, that can simulate cyber attacks, assess medical device vulnerabilities, and test out remediation and mitigation strategies, without exposing patients to risk," said Dr. Suzanne Schwartz, director of the office of strategic partnerships and technology innovation at FDA.
Schwartz, who will speak March 11 at HIMSS20 alongside an expert from MITRE, explained that medical device manufacturers and the healthcare community at large could benefit from the availability of clinical simulation centers and sandboxes as a safe space to identify, analyze and manage security vulnerabilities – all toward the goal of minimizing the potential impacts to device performance and enhancing patient safety.
The second initiative involves the exploration of the viability and execution of a CyberMed Safety Analysis Board to integrate critical patient safety and clinical environment dimensions into the assessment and validation of high-risk/high-impact device vulnerabilities and incidents.
Schwartz said the FDA strongly encourages communication sharing regarding cybersecurity risks and vulnerabilities between stakeholders, and routinely disseminates information publicly, pointing to a list of cybersecurity safety communications can be found here.
"Additionally, the FDA has various cybersecurity information sharing agreements with various stakeholders to help us further protect and promote the public health," Schwartz said, noting additional helpful information is available on the FDA’s website.
She explained that as the number of medical devices that are susceptible to cybersecurity threats grows, it will be increasingly important that stakeholders, including medical device manufacturers, the user, the information technology system integrator, health IT developers, and an array of IT vendors that provide products that are not regulated by the FDA, have shared responsibility for cybersecurity risk management.
"The healthcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks," Schwartz said. "For example, medical device manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices.
This includes risks related to cybersecurity and health care delivery organizations should evaluate their network security and protect their hospital systems.
"Both are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance," she said.
Suzanne Schwartz of FDA and Margie Zuk of MITRE, will share other device security recommendations HIMSS20 in a session titled, "Getting to Ground Truth on Medical Device Vulnerabilities." It's scheduled for Wednesday, March 11, from 1-2 p.m. in room W204A.