FDA on medical device security: ‘We’re not waiting for harm’ to act

Following a ransomware attack simulation within the clinical environment at CyberMed, the Food and Drug Administration’s Office of Strategic Partnerships & Technology Director Suzanne Schwartz reaffirmed the FDA’s proactive posture to swiftly move the needle on much needed pre- and post-market medical device security.

“We are not waiting for harm,” said Schwartz. “We’re not going to wait for something to occur, then react to it.”

Although discussions around medical device security often bring up worries that it will take a patient being harmed for regulators to act, Schwartz was firm with the FDA's mission: the agency is proactively working on improving directives, guidance, protections and regulations.

Prime evidence of this is the newly released FDA guidance for ensuring medical devices are designed with cybersecurity in the forefront, as well as insights for premarket submissions for medical devices that hold known risks.

The release is an update that will “supersede” the FDA’s 2018 draft guidance once it’s finalized, providing further iteration to the initial device insights released in 2014, explained Schwartz. The post market cybersecurity guidance does not replace previous insights, rather it speaks to the “overarching criticality of the quality systems regulation (QSR) for regulation considerations.”

One of the most important elements speaks to the QSR, which outlines and clarifies design controls. These insights impart that the FDA is taking “a very clear step” in the importance of securing devices from “the earliest phases of design and development,” and the entire device management and maintenance throughout its lifecycle must be aligned with QSR.

“This guidance was written to mark the importance of manufacturers considering the QSR, even before the device goes on the market,” said Schwartz. The FDA holds an important role in bolstering medical device security across healthcare with its pre- and post-market guidance, designed as a living document that outlines the FDA expectations for device manufacturers.

“The point is to put in place the necessary protection, security measures and controls so that we’re anticipating the possibilities for cyber intrusion or exploit of identified vulnerabilities,” said Schwartz. “The time to be addressing those vulnerabilities is when they're identified or when they're assessed, in terms of risk, not when that vulnerability has been exploited.”

“And there are some consequences to that,” she added. Overall, it clearly calls out the importance of the QSR and stresses that manufacturers can’t “wipe their hands clean” when it comes to ensuring the security of medical devices throughout the lifecycle.

At the end of the day, the FDA is attempting to align its efforts with the ongoing federal actions for the private sector and the call to action on securing the critical infrastructure.

Ongoing medical device challenges, and the need for a holistic approach

Healthcare’s struggles with inventory, visibility, patch management, and other longstanding medical device risks are well-documented. But staffing shortages and resource gaps are hindering significant progress, with most providers learning to just accept a certain amount of risk.

As seen with the clinical simulation at CyberMed, patient care and morbidity are severely impacted when devices are brought offline due to a cyber incident. Schwartz noted that the FDA is highly concerned about the patient safety risks posed by these real-life scenarios, which have been seen in near-monthly attacks against healthcare in recent years.

The second concern for the FDA is device compromises that impact the way it performs in the clinical setting. Schwartz explained there have been several examples of a device delivering the wrong doses, or an inappropriate cardiac shock on a patient with an defibrillator.

The final concern is data integrity — not privacy issues — but the possibility for manipulating data in transit or stored within the medical device. The FDA is working globally on a more holistic approach to the risks and challenges posed by medical devices, in hopes of creating a “common or harmonized approach.”

“There are no international boundaries here when we're talking about cybersecurity,” said Schwartz. To make progress on device security, awareness is key to inform the measures taken by healthcare entities, regulators, and device manufacturers across all geographic boundaries. 

To accomplish this, there’s an overwhelming need for transparency, including the use of software bill of materials (also included in the updated cybersecurity guidance). Recently proposed legislation would require device manufacturers to provide SOBMs to users.

It’s critical that end-users, owners and operators of infrastructure really understand where and what the component parts are within the systems, the devices and technologies operating on the network, “for obvious reasons.”

Namely, as Schwartz noted, “the only way we can effectively do asset management… [or] risk assessments is by exactly understanding where the potentially vulnerable components reside.”

“We don't want to have healthcare operators in the dark, as far as not knowing where it is that they should be focusing their attention or prioritizing the types of risk mitigations… to best protect their systems and their facilities from a potential intrusion or attacks,” said Schwartz.

But with increased transparency, is the FDA concerned they may reveal the biggest vulnerabilities to attackers? In short, no, as sharing information in this way is not going to inform threat actors “of something they don’t already know.”

“A fair amount of information sharing already occurs among the those looking to do something malevolent,” said Schwartz.

The importance of threat sharing cannot be overstated: it provides healthcare entities with the means to put protections in place and improves awareness around pressing vulnerabilities and recommended mitigations.

“We don't do security by obscurity here. Obviously, no one is putting out any proof of concept code of an exploit,” she continued. The FDA is not going to hide something because they’re concerned an attacker will get their hands on it. It’s more pressing that healthcare entities be empowered with much needed resources and threat intel.