FDA Medical Device Cybersecurity Workshop: Safety, Security, Usability in Uneasy Balance
EMERGO SUMMARY OF KEY POINTS:
- Medical device cybersecurity risk management must involve manufacturers, regulators and end-users to be effective.
- Understanding how a device fits within a broader healthcare network allows a better understanding of cybersecurity vulnerabilities.
- Smaller healthcare providers with fewer resources remain largely underserved when it comes to cybersecurity risk management tools for medical devices and technologies.
Effectiveness of ongoing efforts to address medical device cybersecurity risks will depend on whether stakeholders can properly balance security, safety and usability issues as well as understand end-user environments, according to speakers at a new US Food and Drug Administration workshop.
Day One of the FDA workshop, Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis, featured presenters that collectively illustrated how only concerted and coordinated efforts by medical device manufacturers, healthcare providers and other end-users, and regulators will allow proper mitigation of cybersecurity threats. (The recent WannaCry ransomware attack on healthcare systems worldwide only heightened the importance of the workshop’s subject matter; along with hospital networks, some medical devices from manufacturers such as Siemens and Bayer have also reportedly been affected by the virus.)
Hospitals: Microcosms of cybersecurity risk
A key point several Day One workshop speakers made was how collective cybersecurity risk mitigation needs to be among manufacturers, who design and produce devices, and healthcare networks, where those devices are not only used in treatment regimens but also embedded into networks with other devices and technologies, interacting with other network components as well.
“If you’ve seen one hospital, you’ve only seen one hospital,” argued Penny Chase and Steve Christey Coley, Information Technology and Cyber Security Integrator and Principal Information Security Engineer, respectively, at MITRE Corporation. In terms of stakeholders—researchers, manufacturers, hospitals, patients, and regulators—the challenge for any single stakeholder is mitigating cybersecurity risk in a way that works for all other stakeholders, as well, according to Chase and Christey Coley.
Kevin McDonald, Director of Clinical Information Security at the Mayo Clinic, emphasized even more strongly that any one healthcare facility’s unique network of interconnected devices and technologies presents inherent challenges in terms of security. In the Mayo Clinic’s case, McDonald said, medical devices are the weakest security link: Mayo has about 25,000 connected devices, many of which presenting their own unique security challenges to the clinic’s broader network.
McDonald oversees an information security staff to manage patching, updating and when necessary replacing devices. The clinic now utilizes a vigorous onboarding process for any new device added to its network. But most US healthcare facilities lack Mayo’s depth and breadth of resources, he notes, making their cybersecurity risk mitigation efforts much harder.
Scaling medical device cybersecurity risk management tools so that smaller healthcare facilities can actually use them indeed remains an unmet need, according to Adventium Labs Chief Engineer Todd Carpenter.
“Eighty percent” of hospitals and clinics in the US have “50 or fewer staff,” said Carpenter, adding that most of these facilities have little or no security staff at all. “We still need solutions that all these organizations can use.”
Securing devices: inherent challenges
The weak-link analogy the Mayo Clinic’s McDonald used to describe medical devices reflects major challenges manufacturers face as they attempt to develop secure products able to function properly across diverse healthcare environments.
Ken Hoyme, Director of Product and Engineering Systems Security at Boston Scientific, raised several significant hurdles that manufacturers as well as their customers should bear in mind to mitigate or avoid cybersecurity breaches, including:
- Scalability: Is your security solution too complex for use by smaller institutions—that is, most of them?
- Awareness of inventory: What third-party software or content do you use, and does it present a security issue?
- “Composability:” Can you build a safe and secure system from non-safe, non-secure components? Also, individual devices are developed, reviewed and cleared or approved independently—how do you evaluate safety and security of a device that operates as part of a broader network of devices?
Hoyme also argued that widespread use of commercial software and operating systems with three- to seven-year lifecycles to support medical devices that typically have 10-15 year lifecycles presents a major security risk; instead, manufacturers should incorporate longer-term operating systems for their devices to reduce the need for updating and patching.
Additional Emergo reports on the workshop are forthcoming.