In cybersecurity, it’s all about risk management. Identifying and preventing potential vulnerabilities before they are exploited.
Connected medical devices are a cybersecurity minefield of risks. With more than 19,000 different devices in the market, the opportunity for a cyber attack is huge.
Last month, the FDA released its Medical Device Safety Action Plan that focuses on assuring the safety of medical devices through the Total Product Life Cycle (TPLC), communicating and resolving new or increased known safety issues, and advancing innovative technologies that address these safety concerns.
The Medical Device Safety Action Plan is a good first step in the right direction given that the FDA's current regulatory framework for devices is from the mid-1970s. However, there is a lot more to accomplish to protect connected medical devices. Here are some ways to expand upon and improve the Medical Device Safety Action Plan to get ahead of the cybersecurity risks associated with these devices.
1) Account for securing current in-market devices. While the Medical Device Safety Action Plan requires a unique ID system to track medical devices as they're distributed and used going forward, it does not address the current in-market devices adequately. This is a very challenging issue given that there are no useful life requirements. So, many of these devices are years, or decades old, and still running the same operating system they were born with. One idea would be to require device manufacturers to address known vulnerabilities within a certain timeframe for all in-market devices for a specific number of years post production. This will help manage risks overtime without requiring them to support these devices indefinitely.
2) Provide an approach for preparing for the future of cybersecurity. The plan addresses today’s problems and does not look towards the future. Policy and practices are needed that will prepare us for the future. Otherwise, we’ll be right back where we started with an outdated regulatory framework. Something to consider is requiring manufacturers to “harden” devices in the pre-market submission phase to a known standards like the Center for Internet Security (CIS) Benchmarks or the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). If devices came “off the self” hardened that will set the device on the right path out of the gate and make vulnerability management more practicable. Couple this with clear guidance on vulnerability identification timelines and standardized communication pathways from device manufactures to providers and the entire eco-system would be more manageable as risks evolve overtime.
3) Hold manufacturers accountable for addressing vulnerabilities. When it comes to supporting a medical device, a provider can’t deploy updates unless the manufacturer has tested the update for performance issues. Providers need to hold their manufacturers accountable for conducting these tests and confirming devices are ready for use. One way to do this is by requiring service-level agreements around addressing vulnerabilities within a certain timeframe (e.g., 15 days for critical issues, 30 days for high issues.). This will ensure both parties are aware of the expectations for resolution. To share information like this in a timely manner there should be standards for how manufacturers communicate with providers and the cadence of communication to ensure a more effective risk-mitigation process.
4) Determine class ratings, connectivity risks, and minimum device criteria. Currently, there are no class ratings for medical devices based on cybersecurity requirements. For example, if a device is connected to the network and a patient at the same time, should this impact its class rating? In addition, there are connectivity issues that need to be addressed when implementing cybersecurity measures. First, we need to consider requiring device manufacturers to provide a very clear connectivity path to end users so that malicious behavior can be monitored with widely-used in-market security technologies. This path should outline which devices should communicate with the technology, as well as “normal” communication types, so the users have a better understanding of how their devices should perform on the network.
5) Prepare for the human capital needed to implement the plan. The current FDA plan doesn’t take into consideration the sheer volume of resources needed at the provider level to implement all of the new measures. There needs to be a plan for actually driving change and supporting provider efforts. Providers don’t currently have the bandwidth to keep up with all the data, devices and patches; more data without resource support may not have the impact the plan desires. It may be worth incorporating financial incentives to move providers forward in incorporating these changes. Additionally, it may make sense to explore penalties and fines for non-compliance.
The only way to take cybersecurity more seriously in healthcare is to force the industry— manufacturers or providers—to either provide a fix or replace the devices that present risk within a user’s environment. By addressing the cybersecurity risks with the FDA’s Medical Device Safety Action Plan, we can create a regulatory framework that encourages innovation and looks towards the future of connected medical devices.
About the Author
Dan L. Dodson serves as President of Fortified Health Security where he helps healthcare organizations effectively develop the best path forward for their security program based on their unique situation. Dan and his team partner with clients to strengthen their overall security program by assessing not only risks, but also the financial, clinical, cultural and regulatory implementations of their current security program, empowering each organization with the most effective solutions to mitigate cybersecurity and compliance risks. He currently serves on the Southern Methodist University Cyber Security Advisory Board. Dan holds a M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.