Last week, the FDA released its Medical Device Safety Action Plan that focuses on assuring the safety of medical devices through the Total Product Life Cycle (TPLC), communicating and resolving new or increased known safety issues, and advancing innovative technologies that address these safety concerns.
The plan proposes using several cybersecurity measures to mitigate risk and prevent breaches of connected devices. These include: 1) considering a requirement for firms to update and patch device security in product design and submit a “Software Bill of Materials” to the FDA, 2) updating pre-market guidance on medical device cybersecurity, 3) considering a new postmarket authority to require firms to adopt policies and procedures for coordinated disclosure of vulnerability, and 4) exploring the development of a CyberMed Safety (Expert) Analysis Board (CYMSAB).
While the plan is well-intended in addressing today’s medical device security issues as related to patient safety, there are several gap areas that need to be addressed. Most notably, it does not adequately account for securing devices currently in-use nor provide an approach for preparing for the future of cybersecurity. These are two areas that need to be figured out in order to provide a truly comprehensive medical device security plan.
How to Respond to the FDA’s Medical Device Action Plan
1. Hold manufacturers accountable for addressing vulnerabilities.
When it comes to supporting a medical device, a provider can’t deploy updates unless the manufacturer has tested the update for performance issues. Providers need to hold their manufacturers accountable for conducting these tests and confirming devices are ready for use. One way to do this is by requiring a service-level agreement around addressing vulnerabilities within a certain timeframe (e.g. 15 days for critical issues, 30 days for high issues, etc.). This will ensure both parties are aware of the expectations for resolution.
Additionally, consider requiring manufacturers to submit threat intelligence and vulnerability information to organizations like the National Health Information Sharing and Analysis Center. This will keep providers aware of security risks so they can properly prepare their organizations.
2. Standardize manufacturer communication.
Providers regularly need to contact manufacturers about known vulnerabilities of their devices, but the expectations or types of communication vary by manufacturer and device. This can be a very slow process that inhibits providers from adequately securing their environments or achieving resolution for an issue in a timely matter. Setting standards for how manufacturers communicate with providers and the cadence of communication will help address these roadblocks and ensure a more effective risk-mitigation process.
3. Require manufacturers to “harden” devices as part of pre-market submissions.
One way to prevent security threats down the road is for the FDA to require manufacturers to “harden” their devices as part of their pre-market submissions. If the devices are hardened to a known standard like the Center for Internet Security (CIS) Benchmarks or the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) from the get-go, security issues will be more manageable once the devices are in-market. By building in this “hardening” step early on, manufacturers may be able to reduce the number of steps required to test and approve security updates more quickly once a device is in-market.
4. Strengthen cybersecurity requirements as input for class ratings.
The FDA should consider re-evaluating the cybersecurity requirements used as input for class ratings. For example, if a device is connected to the network and a patient at the same time, should this impact its class rating? Taking stock of the class rating system could be useful in determining if ratings are appropriately designated, or if adjustments need to be made based on cybersecurity requirements.
5. Evaluate device connectivity requirements.
There are a couple of connectivity issues that need to be addressed when implementing cybersecurity measures. First, we need to consider requiring device manufacturers to provide a very clear connectivity path to end users so that malicious behavior can be monitored with widely-used in-market technologies. This path should outline which devices should communicate with the technology, as well as “normal” communication types, so the users have a better understanding of how their devices should perform on the network.
Additionally, for devices that have full-time network connectivity, consider requiring manufacturers to provide a mechanism for performance monitoring that is compatible with widely implemented tools across all organization types and sizes. Ultimately, this would move the industry toward a longer-term strategy for full-time connected devices.
6. Consider resource constraints.
The current FDA plan doesn’t take into consideration the sheer volume of resources needed at the provider level to implement all of the new measures. There needs to be a plan for actually driving change and supporting provider efforts. Providers don’t currently have the bandwidth to keep up with all the data, devices and patches; more data without resource support may not have the impact the plan desires. It may be worth incorporating financial incentives to move providers forward in incorporating these changes.
Getting serious about cybersecurity
The only way to take cybersecurity more seriously in healthcare is to force the industry— manufacturers or providers—to either provide a fix or replace the devices that present risk within a user’s environment. With more than 19,000 different devices on the market, the surface area for cyber attack is big and continuing to grow. It’s up to both parties to be proactive and comprehensive in determining the best approaches for keeping devices safe and secure for the patients using them.
As the discussion will certainly continue to unfold, I had an opportunity to talk further about the new FDA plan in this Modern Healthcare article.