Ramping Up Medical Device CybersecurityFDA Initiates Risk Assessment Effort
The Food and Drug Administration is ramping up efforts to strengthen the security of medical devices. For example, it's collaborating on the development of a risk assessment framework to enable healthcare sector stakeholders to identify cybersecurity vulnerabilities and mitigate the risks.
Networked medical devices, ranging from MRIs, ventilators, and insulin pumps, face emerging cyberthreats, including malware, software flaws and hacker attacks, that can affect the integrity of data and raise and potential safety concerns for patients (see Medical Device Security: The Hurdles). Security experts say there is a lack of awareness among device manufacturers as well as healthcare providers about the need to identify and mitigate cybersecurity vulnerabilities.
To help address the risks, the FDA is collaborating with the National Health Information Sharing and Analysis Center to develop a shared risk assessment framework that can "enable healthcare sector stakeholders to efficiently assess patient safety and public health risks associated with identified cybersecurity vulnerabilities and take timely, appropriate action to mitigate the risks" related to medical devices, as well as the integrity an security of the healthcare IT infrastructure, says a statement from FDA and NH-ISAC.
NH-ISAC is one of the nation's 18 ISACs that are supporting national critical infrastructure protection.
The collaboration between the FDA and NH-ISAC is also aimed at encouraging healthcare stakeholders to develop best practices and improved information sharing related to cybersecurity vulnerabilities and threats against medical devices, says Suzanne Schwartz, M.D., director emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health. Her comments came at the recent HIPAA conference hosted by the National Institute of Standards and Technology and the Department of Health and Human Services' Office for Civil Rights.
The FDA is looking for opportunities to improve information sharing and industry response planning for cyber-related incidents affecting medical devices, Schwartz says.
"No one single organization - government agency, provider, device maker, security firm - will be able to solve these issues on their own. Government needs the private sector to own up and be part of the solution-building process," she says. That process includes building awareness of existing and emerging cyberthreats as well as improving preparedness and response, she says.
The FDA wants to lead the way in helping the healthcare sector "shift from a reactive stance to a proactive posture," Schwartz adds.
The FDA and NH-ISAC on Sept. 23 revealed they've signed a new "memorandum of understanding" to jointly address the cybersecurity of medical devices.
A goal of the partnership is to "create an environment that fosters stakeholder collaboration and communication, and encourages the sharing of information about cybersecurity vulnerabilities that may affect the safety, effectiveness and security of the medical devices, and/or the integrity and security of the surrounding healthcare IT infrastructure," the memorandum states. "Ultimately, exploited vulnerabilities may have downstream public health and patient safety consequences."
Another goal of the relationship is to encourage use in the healthcare sector of the voluntary cybersecurity framework established by NIST - including applying it to medical device cybersecurity.
Besides the new collaboration with NH-ISAC, FDA is partnering with the Department of Homeland Security's ICS CERT to enhance communication about cybersecurity issues affecting medical devices, Schwartz says.
On Oct. 21-22, FDA will host a public workshop, "Collaborative Approaches for Medical Device and Healthcare Cybersecurity." FDA, along with representatives from HHS and DHS, are seeking participation by healthcare sector stakeholders, including small clinics, large hospitals, and medical device makers, to identify barriers to promoting cooperation; discuss innovative strategies to address challenges that may jeopardize critical infrastructure; and enable development of best practices to strengthen medical device cybersecurity.
The workshop will address how to "quickly identify, communicate and mitigate cyberthreats and vulnerabilities," Schwartz says, including "threats that are repurposed, starting in other industries and moving to the healthcare sector."
"With the presence of the FDA to facilitate this discussion among all [health industry] stakeholders, hopefully progress can be made to develop strategies for information security safeguards of medical devices, especially older devices that are in healthcare facilities today," says David Holtzman, a former senior adviser at OCR who's now a vice president at the security consulting firm CynergisTek. "In my experience, there's been a significant gap in the attention paid in securing medical devices, and we need to change that."
The FDA also intends to establish a mechanism by which information regarding cybersecurity vulnerabilities and threats to medical devices can be shared with NH-ISAC, Schwartz says.
"Reducing medical device cybersecurity risks to public health and patient safety requires a trusted information-sharing environment that supports the rapid sharing of vulnerabilities and threats, a decision framework supporting innovative assessment and mitigation strategies, and opportunities to adapt and operationalize the NIST Framework for Improving Critical Infrastructure Cybersecurity," says NH-ISAC executive director Deborah Kobza.
The organization's partnership with FDA "leverages the NH-ISAC's cyber intelligence information-sharing infrastructure for the nation's health sector and establishes two-way information-sharing mechanisms by which medical device cybersecurity vulnerabilities will be shared between the NH-ISAC and the FDA," she says.
The alliance with FDA is one of several new new initiatives at NH-ISAC. Jim Routh, CISO of health insurer Aetna and NH-ISAC chair, says it's his goal to make NH-ISAC "more like the Financial Services Information Sharing and Analysis Center."
Routh, who is also a board member of FS-ISAC, says NH-ISAC is developing new working groups, similar to working groups at FS-ISAC that "formulate policies and practices." Those groups are diving into issues such as security controls for big data and legacy systems.
Also, NH-ISAC is looking to involve healthcare sector stakeholders in tackling cybersecurity issues faced by the industry through the help of a new alliance with SANS Institute, Routh says. SANS Institute is partnering with NH-ISAC for a new annual conference to be held in December to discuss cybersecurity issues facing the healthcare sector, he says.