Did you know that October is National Cybersecurity Awareness Month? Neither did we, until we started poking around the FDA’s recent press release announcing that it intends to update its guidance on medical device cybersecurity within the next few weeks. We also learned that National Cybersecurity Awareness Month has been observed each October since its inception in 2004. Observed by whom? We’re not exactly sure. We picture our IT consultants walking office to office handing out hats and stickers with catchy slogans like “A password is like underwear. Change it!” Or some lame pun involving the work “phishing.” If it were up to us, we would default to the simple and classic “Ctrl-alt-delete before you leave your seat.”
All kidding aside, cybersecurity threats have moved in recent years from theoretical to very real, and while there remains no reported instance of anyone hacking into a medical device being used to treat a patient, the potential vulnerability is one to which we need to pay attention.
That includes the FDA. The FDA has published guidance on cybersecurity with regard to both premarket submissions and post-market submissions. (You can see our take on the postmarket guidance here) Based on the FDA’s press release, updates are coming to the premarket guidance, specifically to “highlight the importance of providing customers and users with a ‘cybersecurity bill of materials,’ or in other words, a list of commercial and off-the-shelf software and hardware components of a device that could be vulnerable to attack.” This jibes with the FDA’s general approach to cybersecurity, which is to undertake a risk-based analysis that identifies vulnerabilities, assesses the potential frequency and severity of the risk, identifies mitigations, and proceeds accordingly. Such a risk-based analysis should be familiar to anyone who operates in the medical device space, where risks and benefits are weighed on a daily basis.
The other news of the press release is the publication of a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, which “describes the types of readiness activities that’ll enable HDOs [healthcare delivery organizations] to be better prepared for a cybersecurity incident involving their medical devices.” This Playbook was prepared by the MITRE Corporation, a government-sponsored research and development organization. You can get a copy of the Playbook here, and you can that it is aimed at healthcare providers and critical healthcare infrastructure in which medical devices operate.
The purpose of the Playbook is to help HDOs get ready for cybersecurity threats affecting medical devices that could impact continuity of care and patient safety. More specifically, the playbooks objectives are to:
- Provide baseline medical device cybersecurity information that can be incorporated into an HDO’s emergency preparedness and response framework;
- Outline roles and responsibilities for responders to clarify lines of communication “across HDOs, medical device manufacturers (MDMs), state and local governments, and the federal government”;
- Describe a standardized approach to response efforts;
- Serve as a basis for enhanced coordination activities among medical device cybersecurity stakeholders;
- Inform decision making and the need to escalate response;
- Identify resources HDOs can leverage as a part of preparedness and response activities; and
- “Serve as a customizable regional preparedness and response tool for medical device cyber resiliency that could be broadly implemented.”
We put that last one in quotes because we’re not exactly sure what “cyber resiliency” means, but we assume it means the ability to fend off a cybersecurity event or at least mitigate its impact. Toward that end, the Playbook suggests a four phase approach: (1) Preparedness; (2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post Activity.
“Preparedness” means exactly what it says, with an emphasis on mindfulness of cybersecurity when procuring medical devices and keeping an inventory such that the HDO is always aware of what connected devices it has on hand. HDOs should engage in “hazard vulnerability analysis” (again, a focus on risk) and plan for communicating and responding during an event. That includes medical device manufacturers, whom the Playbook places squarely within the communication loop with the HDO and the FDA.
“Detection and Analysis” focuses on identifying when an incident has occurred and assessing its priority on a numerical scare that strangely assigns “Emergency” events to “Category 0.” Analysis and documentation are important parts of the process, too.
The core of the response falls under “Containment, Eradication, and Recovery,” which appropriately focused on patient safety. Is the device safe to use? Is there a reliable way to test the device and confirm it is working correctly? Are there spare or backup devices? How quickly can the problem be fixed, and has there been collateral damage to the broader healthcare system? These are the questions that HDO should be asking.
Finally, the “Post Activity.” The Playbook recommends attention to lessons learned, including possibly retaining a digital forensics expert and updating the plan.
As we have said before, medical device cybersecurity is here to stay, and the FDA has been busy. In addition to the Playbook (which is not an FDA document, but still, you get the gist), the FDA has entered into memoranda of understanding to form information sharing analysis organizations (“ISAOs”), which are “groups of experts that gather, analyze and disseminate important information about cyber threats.” The Agency has participated in cybersecurity exercises and summits, and has engaged discussions with other government agencies, including the Department of Homeland Security. It has proposed a Center of Excellence for Digital Health, which “would help establish more efficient regulatory paradigms, consider the building of new capacity to evaluate and recognize third-party certifiers, and support a cybersecurity unit to complement the advances in software-based devices.”