Think Twice Before Ignoring FDA Cybersecurity Guidance

Think FDA's cybersecurity guidance isn't enforceable? Think again.

Dave Saunders

FDA late last year published new guidance documenting postmarket management of cybersecurity in medical devices. It seems prudent to recognize this guidance for exactly what it is: a wake-up call for the medical industry that we are in the 21st century and the potential for hacking any medical device, whether it is connected to a network or not, is a problem that must be taken seriously. In the guidance, FDA provides the means of demonstrating a risk-based management approach to cybersecurity and medical devices. The agency also provides mitigation and reporting requirements that are governed by other sections of the Code of Federal Regulations (CFR) pertaining to medical devices. So, while some may argue that this guidance has no teeth and cannot be enforced, if a patient is harmed or put at risk by a potential cybersecurity vulnerability, what company's attorneys are going to argue that their client chose to ignore potential cybersecurity impacts on their medical device because they felt the guidance “didn't have any teeth”?

Don't miss the MD&M Minneapolis Conference and Expo, November 8-9, 2017.

 

What the Government Stated

FDA's guidance on postmarket management of cybersecurity in medical devices was preceded by Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”; and Presidential Policy Directive (PPD) 21, “Critical Infrastructure Security and Resilience.” These were issued after years of analysis and lessons learned the hard way. It was conclusively found our country clearly had a cybersecurity problem. The executive order identifies that cyber threats to national security are “among the most serious, and that stakeholders must enhance the cybersecurity and resilience of critical infrastructure.” The order also requires federal government entities to “strengthen the security and resilience of critical infrastructure against physical and cyber threats such that these efforts reduce vulnerabilities, minimize consequences, and identify and disrupt threats.” As far as FDA is concerned, medical devices with embedded software and supporting infrastructure represent the world they’ve been directed to shore up and protect. Are there really any questions about this just being a suggestion or merely guidelines?

If you study the history of cybersecurity analysis throughout the military and federal government, you will see that these directives and orders are based on the clear understanding that cybersecurity vulnerabilities are a major risk to all industries and sectors, whether they are private or government-controlled. Much of this analysis has shown that the majority of threats and exposed vulnerabilities result from of individuals and organizations not having sufficient processes in place to assess and mitigate threats and vulnerabilities—and in some cases having none at all.

Doing the Right Thing

A sound cybersecurity threat mitigation strategy can be summed up as follows: identify, protect, detect, respond, and recover. This cycle should include a regular analysis of all elements of a product to examine what possible failure modes may exist, including the potential risk and mitigation strategies. While the specific analysis may require new specialists to join the team, cybersecurity threat analysis is just another application of the continuous improvement processes normally found in a product’s life cycle.   

According to the FDA guidance, “in the absence of remediation, a device with uncontrolled risk of patient harm may be considered to have a reasonable probability that use of, or exposure to the product will cause serious adverse health consequences or death.” Without including a good cybersecurity review program in your product development process, how would you know if potential cyber threats and vulnerabilities qualify as an uncontrolled risk?

For the most part, many cybersecurity vulnerabilities may be lumped into what the document refers to as "cybersecurity routine updates and patches" and do not require advance notification for reporting under 21 CFR 806. That seems simple enough, but without a thorough examination of each vulnerability, how do you know what the potential patient impact might have been? This may all seem like a circular argument, but I would love to know the name of the first medical device company that attempts to use something like this as its defense for a cybersecurity vulnerability in a medical device that it left unaddressed. 

Conclusion

I strongly recommend being forearmed against cyber risks during the development stage, when your efforts will be far more effective. Being prepared for cyber attacks can also be far more cost-effective than not doing so.

News of small cybersecurity vulnerabilities in the medical industry is hard to come by, but occasionally it does make headlines. In 2015, it was reported that the Symbiq medication infusion pump was vulnerable to hacking. It could be hacked to change drug dosages to a patient while appearing to operate normally. This led to a forced recall by FDA, and Symbiq has since resolved the problem. FDA and the U.S. Department of Homeland Security also reported findings of cybersecurity vulnerabilities in St. Jude Medical heart devices in 2017. Some vulnerabilities are a bit more indirect. In 2014, Boston Children’s Hospital was effectively taken off of the Internet for several days by anonymous hackers.  

Events like these should remind medical device manufacturers that they cannot guarantee the network they operate on will remain secure and should take extra care in protecting their own devices from cyber mischief. They must ensure they don't become part of the problem in the event of a cyber attack on an organization. In the end, all device vendors are collectively responsible for cybersecurity within clinics and hospitals. Understand that if a device is on the network, for any reason, its operation can be affected or could be potentially hijacked for nefarious use.

Dave Saunders is the cofounder and senior vice president of product development at Silicon Valley-based Galen Robotics. He has applied his experience delivering more than 40 products from inception to market by translating advanced technology into products delivering key values to customers. This includes early Internet applications, computer-vision-guided bone saws, and dexterity-enhancing surgical robots.

[image courtesy of DAVID CASTILLO DOMINICI/FREEDIGITALPHOTOS.NET]

 

Device talk Tags:

Device vulnerabilities

Device vulnerabilities are certainly to be taken seriously, but a vulnerability is not the same as an actual (as opposed to hypothetical) adverse event which, for devices, are hard to find. In device vulnerability discussions there also seems to have been a neglect of probability, the major traditional second factor in risk assessment along with severity, and severity also seems to be poorly evaluated. I was once told that in cyber probability must always be considered to be 1, unless it could be reduced to zero. But our ongoing experience is that zero is unattainable unless perhaps if you disconenct from the internet, which may be an increasingly attractive option.