An expert discusses the latest milestones in the push to increase medtech cybersecurity and what he believes will be key hurdles and achievements this year.
It’s easy to dismiss discussions of medical device cybersecurity as all gloom-and-doom. Just scan the scary headlines about hackable devices and weighty alerts from the FBI.
But one cybersecurity ace sees recent developments in a more positive light. Corman, cofounder of I Am The Cavalry, was one of the organizers of the CyberMedRx Medical CyberSafety Summit held in December and he views the collaboration among numerous stakeholders and FDA’s recent approach to the issue as big wins. "What [FDA is] doing instead of adding a lot of new regulatory burden is they're interpreting existing ones in an elegant way," he said.
2015 a Year of Collaboration
A grassroots organization founded in 2013, The Cavalry focuses on cybersafety in the medical, home, automotive, and public infrastructure fields. The mood at the December summit was in line with what Corman explains are the organization “Four C’s”: Collecting, Connecting, Collaborating, and Catalyzing. "There was a belief that pulling these stakeholders togethers that A: they wouldn't come—and we had nearly every stakeholder group represented—and then B: that there'd be fireworks . . ." he said.
Instead of fireworks, highlights included a physician's testimonial that cybersecurity professionals are often viewed as the cause of device delays and "the voice of no," as well as another viewpoint from Marie Moe, a pacemaker patient and information security researcher, on the importance of understanding how to reduce the risk of abuse. (Watch a talk Moe gave recently, "Unpatchable: Living with a vulnerable implanted device")
The all-together-now atmosphere at the summit was an extension of what Corman calls the "high trust, high collaboration" approach adopted by FDA leaders like Suzanne Schwartz, MD, MBA, who spoke at the event and is CDRH associate director for science and strategic partnerships. This teamwork attitude began with the agency's communication with cybersecurity stakeholders about its October 2014 "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" guidance for industry and was solidified after vulnerabilities in the Hospira Symbiq Infusion System were made public. Since then, Corman said, "There's been an incredibly high focus on the value of the altruistic research community, the protectors. Destigmatizing the idea that all hackers are bad . . . there's a very large swath of people who just want to make the world a safer place."
In July 2015, FDA published a safety communication on the cybersecurity vulnerabilities with Hospira Symbiq and urged users to transition to other infusion systems. This was unique, because besides being the first safety communication of its kind, it marked a transition, with FDA "essentially saying, for a cyberissue with zero proof of harm, that fact that there is an unmitigated pathway to harm was sufficient to trigger correction action," Corman said. With the publication of this FDA communication, "it dawned on me that we didn't have to wait for anybody to die," he said.
More Clarity Coming in 2016
There should be additional promising developments this year. Later this month, FDA will be convening a public workshop, "Moving Forward: Collaborative Approaches to Medical Device Cybersecurity," on what else is needed to advance medical device cybersecurity. Also on the way is FDA postmarket guidance for medical devices, which Corman hopes will include a strong focus on the importance of coordinated disclosure—encouraging altruistic researchers to report bugs and vulnerabilities in on-the-market devices:
"I'm very eager to see what is actually in [the postmarket guidance] when the draft is published because I think we're finally going to get to a point where this will be the compelling event—the implicit precedent set by the safety communication on Hospira plus the explicit language of the postmarket guidance for how you should seek to learn of vulnerabilities and how to quickly respond to vulnerabilities. And when you're not able to, that'll probably trigger recalls."
Corman laughingly adds that he wants to see a public service announcement to spread awareness that a medical device's software can be patched for security reasons without requiring re-certification. This is something that has been published in FDA's premarket guidance—which reads, "The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity"—but is not yet fully accepted or believed in practice. "There's a difference between having the guidance . . . and successfully driving education awareness and adoption of the guidance. I think the rest of the year will be the latter," Corman said.
|Check out the future of medical technology at the world's largest medical design and manufacturing event—register for the MD&M West Conference, February 9-11, 2016.|
Marie Thibault is the associate editor at MD+DI. Reach her at [email protected] and on Twitter @medtechmarie.
[Image courtesy of DAVID CASTILLO DOMINICI/FREEDIGITALPHOTOS.NET]