Medical Device Cybersecurity Fda Congress Hacking

Skip to content

Device Cybersecurity: How FDA and Others are Collaborating to Increase Patient Safety

Medical Device Cybersecurity: How the US Food and Drug Administration and Other Stakeholders Are Collaborating to Increase Patient Safety

by Sonali P. Gunawardhana and Margaret Horn

When 1 thinks of cybersecurity information technology is easy to think of villainous hackers portrayed in a variety of Hollywood thrillers. Cybersecurity breaches have been traditionally portrayed in films as hit fiscal institutions causing devastating events to unfold. In some films the hacking is in assist of a masterful heist in which the main protagonist is trying to either thwart the robbery or possibly to jet off to a luxurious island with millions in tow. About story plots do non revolve effectually hacking a medical device. The HBO series, Homeland, even so, fabricated what seemed implausible a truly possible chance. The plot revolved around the hacking of the Vice President’s pacemaker to cause it to malfunction, eventually causing the Vice President’s demise. The hacking of a medical device for monetary gain or to cause catastrophic events is not merely the stuff of fiction, merely a tangible and constantly monitored run a risk. The US Food and Drug Administration (FDA) and several federal agencies are collaborating along with a variety of stakeholders to safeguard patients from possible cybersecurity risks.

Many of today’s medical devices are increasingly connected to the Internet, infirmary networks, and other medical devices to provide features that enhance the ability of health intendance providers to care for patients and improve wellness outcomes. Unfortunately, these aforementioned features also increment the risk of potential cybersecurity threats—many loftier and moderate adventure medical devices incorporate the capability to transmit data directly from the hospital’due south IT network or wirelessly communicate with other devices within the infirmary or even through the medical professional’s telephone. Medical devices, like other figurer systems, can exist vulnerable to security breaches, potentially impacting the prophylactic and effectiveness of the device, which may lead to catastrophic health consequences.

Unfortunately, threats and vulnerabilities cannot be eliminated and reducing security risks tin be challenging for all stakeholders, from the device manufacturer, to the infirmary or the healthcare practitioner, and ultimately to the patient. The heath care environment is clearly multifaceted; therefore, information technology is imperative that medical device manufacturers, hospitals, and facilities work together to manage security risks. Many medical device manufacturers are now grappling with how all-time to ensure their devices are used solely for their intended utilise to care for patients and forestall impairment by those with unscrupulous intentions. FDA, along with several sister agencies, are working together to develop a gamble-based framework that relies on the varied stakeholders working together towards a goal of trust and transparency.

Initial Efforts by Primal Federal Regulators to Address Cybersecurity Risks

FDA has been ramping up its cyber enforcement in recent years, starting in 2013 with the formation of a “cybersecurity working grouping” and the publication of guidance entitled, “Content of Premarket Submissions for Direction of Cybersecurity in Medical Devices,”1
in 2014. The guidance outlines FDA expectations of manufacturers to develop long-term plans for medical device cybersecurity for the products existence adult. The passage of the Nutrient and Drug Administration Condom and Innovation Act of 20122
requires FDA to partner with several federal agencies given their shared regulatory oversight of these interconnected and wireless devices.

As a result, FDA worked closely with the Federal Communications Commission (FCC) and Part of the National Coordinator for Health Information technology (ONC) to propose a strategy on an advisable, hazard-based regulatory framework for health IT that promotes innovation, protects patient safe, and avoids unnecessary and duplicative regulation. On April 3, 2014, the FDA, FCC, and ONC released the FDASIA Wellness IT Written reportthree
outlining a proposed strategy for a chance-based framework.

FCC continues to support this relationship past adopting rules and policies that promote the evolution of wireless medical devices while implementing important technical standards. All wireless medical devices utilize a frequency within the electromagnetic radio spectrum and operate under a under a license from FCC. The Commission has incrementally allocated electromagnetic spectrum for wireless medical devices. For example, FCC has allocated ranges of the spectrum for: ane) wireless medical telemetry devices that mensurate patients wellness parameters (similar wireless cardiac monitors); 2) MedRadio, implanted and torso-worn wireless devices used for diagnostic and therapeutic purposes; and 3) medical body expanse networks (MBAN) technology, networks of wireless sensors that transmit patient health data to their healthcare providers4. Nether its rulemaking ability, FCC besides ensures that medical devices may non be marketed until they have shown compliance with technical standards.5

To further its accessibility mission, FCC created the CONNECT2HEALTH Chore Force to accelerate adoption of health care technologies in the areas of tele-wellness, mobile applications, and telemedicine past leveraging broadband and identifying regulatory barriers to overcome.half dozen
The Commission likewise released a Detect of Public Annotate seeking input on accelerating adoption and accessibility for broadband-enabled health care solutions in 20177. This aspect of FCC’s mission focuses on admission to broadband in rural areas—which is essential to providing telemedicine services, including remote review of patient health data by providers and remote medical consultations.

FDA’south Continued Efforts to Manage Post Market Cybersecurity Concerns

FDA continued its efforts to provide information that addressed legacy devices by issuing a guidance entitled “Postmarket Management of Cybersecurity in Medical Devices”viii
in January of 2016. FDA was concerned about health care delivery organizations that continue to utilise legacy generation devices that were not designed with the ability to receive timely cybersecurity updates. Many older devices were non designed with cybersecurity in mind, and they may apply insecure software, hardware, or protocols, leaving them vulnerable to attack. This guidance addresses expectations of gathering and sharing cybersecurity threats and vulnerabilities with various stakeholders, unlike the premarket guidance that was primarily concerned with security technology conducted by the device manufacturer.

The recommendations made in the postmarket guidance were initially considered controversial by some considering FDA chosen upon medical device manufacturers, healthcare providers, and whitehat hackers to share previously-guarded information in order to address shared cybersecurity vulnerabilities. In recent years, there take been numerous ransomware attacks on healthcare providers, including the devastating WannaCry attack which wreaked havoc on the United Kingdom’s National Health Service (NHS) as well as on numerous hospitals here in the Usa. These attacks, which used security flaws in Microsoft operating systems, highlighted just how unprepared hospitals and medical device manufacturers were in dealing with cybersecurity threats. The continued attacks to the healthcare system made it abundantly clear that these cardinal players would need to partner in social club to try to prevent future ransomware attacks. As a result, many that were impacted turned to the recommendations made in the postmarket guidance as a road map though some still felt that the recommendations were not comprehensive in nature.

In response to concerns that FDA’s cybersecurity efforts in the postmarket arena did not go far enough, the Part of the Inspector General (OIG) conducted an audit of FDA’s cybersecurity efforts. OIG issued a report9
on its findings, outlining issues FDA faces with postmarket cybersecurity and recommending the following actions:

We recommend that FDA do the following: (i) continually appraise the cybersecurity risks to medical devices and update, as appropriate, its plans and strategies; (2) establish written procedures and practices for deeply sharing sensitive data about cybersecurity events with central stakeholders who have a “need to know”; (3) enter into a formal agreement with Federal agency partners, namely the Department of Homeland Security’due south Industrial Command Systems Cyber Emergency Response Squad, establishing roles and responsibilities as well every bit the support those agencies will provide to further FDA’due south mission related to medical device cybersecurity; and (four) ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats.10

To address OIG’due south recommendations and reply to the chop-chop evolving nature of cyber threats, FDA updated its premarket guidance11
to ensure the information contained in its recommendations reflects the electric current cybersecurity threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns designing their devices. These recommendations also volition assist in how manufacturers can better protect their products against dissimilar types of cybersecurity risks, from ransomware to a catastrophic assault on a wellness organisation. The fundamental idea woven through this guidance is that medical device manufacturers must adequately accost device cybersecurity for the total product lifecycle in lodge to ensure patients are protected from cybersecurity threats. The updated recommendations in the guidance will also assist FDA in its premarket review process, which in plow will aid in ensuring that medical devices are designed to sufficiently address cybersecurity threats before the devices are available to patients.

The typhoon guidance incorporates other new recommendations, namely a “cybersecurity bill of materials,” which is a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. FDA believes that a nib of materials will enable device users or owners, such as hospitals and health systems, to more than efficiently evaluate their inventory, identify devices susceptible to cyber events, and prioritize risk mitigation. The guidance besides outlines two tiers of devices: 1) those with higher cybersecurity risk, including implanted devices such as pacemakers or neurostimulation devices, and two) those with standard cybersecurity gamble, which includes devices that comprise software based on potential damage to patients from cybersecurity threats.12

Agency Collaboration

In addition to the recently updated premarket guidance document, FDA and the U.S. Department of Homeland Security (DHS) recently announced a memorandum of agreement (MOU)13
to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in medical devices. The purpose of this memorandum is to share information and better collaborate to stay a pace alee of constantly evolving medical device cybersecurity vulnerabilities as well equally being well-situated to proactively reply when cyber vulnerabilities are identified.

In furtherance of their MOU, DHS, through its National Cybersecurity and Communications Integration Center (NCCIC), and FDA routinely work in parallel to address medical device cyberattacks. In Oct 2022, cybersecurity vulnerabilities were discovered, which impacted Medtronic cardiac implantable electrophysiology devices (CIEDs). Both agencies released security alerts cogitating of their respective missions. FDA’s alert focused on communicating the vulnerabilities and recommendations to the health care customs and assessed potential risks to patient health, every bit well as approving a Medtronic network update to address the vulnerability.14
NCCIC’s alert focused on conveying technical vulnerabilities and mitigation techniques to users.15

NCCIC offers many technical services to detect and mitigate threats in both the public and private sector through cybersecurity alerts, trainings, cybersecurity evaluation tools, and incidence response services. NCCIC too serves equally the coordinator for data sharing on cybersecurity threats betwixt device manufacturers, researchers, and FDA. In this coordinating chapters, NCCIC deals with global cyberattacks that may implicate critical infrastructure in many industries worldwide—including medical devices. For instance, in 2017, NCCIC coordinated with other agencies and experts to combat the global ransomware campaign, WannaCry. This attack exploited a Windows vulnerability to remotely compromise victim systems across many industries, including certain medical devices running on Windows platforms.16

Medical device cybersecurity is merely one task inside the vast the purview of DHS’s cybersecurity mandate. DHS serves every bit the nation’s central cybersecurity risk-spotter, incident-responder, and operational integration heart for all systemic cybersecurity issues in the US. The agency is charged with securing the unabridged U.S. critical infrastructure in cyberspace which covers everything from wellness intendance services to public utilities to financial services. Given the agency’due south huge cybersecurity mission, coordination with cardinal stakeholders in the field on medical device cybersecurity efforts, including FDA, is crucial to addressing these threats.

Encouraging Farther Collaboration Among Key Stakeholders

In add-on to the issuance of guidance documents to assist manufacture, FDA likewise recently held a fourth public workshop on January 29 and 30, 2022, entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” This workshop sought non but to focus on the new draft premarket guidance that was issued in Oct simply to besides address the continued apply of legacy devices and the importance of the medical device total product lifecycle in terms of advancing medical device cybersecurity and safety. The primal principles of the workshop centered around the cornerstones of resilience, trustworthiness, and transparency, which require continued collaboration beyond regime agencies, industry, security researchers, patients, and wellness care providers.17
There were many attendees from diverse backgrounds, as well every bit numerous breakout sessions for attendees such as the following: Threat Modeling and Systems Approaches; Run a risk Assessment Approaches and Labeling; Leveraging Innovation and Collaboration in the Ecosystem to Advance Cyber Safety, and Establishing Trust, Embracing Transparency, Increasing Resilience: All-time Practices and Tools.

FDA representatives likewise encouraged stakeholders at the workshop to participate in the upcoming DefCon Biohacking Hamlet, scheduled to occur in early August of 2022 in Las Vegas, Nevada. Participation by FDA is being encouraged in lodge to increase medical device manufacturer presence, introduce cybersecurity bug to the clinical community, and further appoint healthcare delivery organizations.18
The DefCon Biohacking Village is a departure from the way FDA has traditionally approached a growing regulatory issue but this is not surprising given the intricacies the world of cybersecurity entails. The website for the BioHacking Village states that the “the Hamlet brings together thousands of attendees, along with featured inventors, globe-class makers, cybersecurity researchers, self-made entrepreneurs and workshop experts from effectually the world, to create real solutions for some of humanity’south nigh pressing challenges and opportunities in the areas of health, education, security, and more.”19
The mission statement of this organization sounds so promising that it is hard to recall of a more suitable opportunity to collaborate.

FDA appears to truly appreciate the importance of connected collaboration due to the ever changing cybersecurity mural. Nosotros believe it is condom to say that cybersecurity issues will remain a steadfast challenge due to the continued use of legacy devices in diverse healthcare delivery systems too as the introduction of novel interconnected medical devices to provide better and more efficient healthcare for patients.

  1. https://world wide
  2. Pub.Fifty. 112–144.
  6. technology-actions-and-activities-timeline.
  16., last visited 3/5/2022.



Page load link

Medical Device Cybersecurity Fda Congress Hacking