The medical internet of things is coming. That was the common recognition of participants at a two-day public workshop on “Collaborative Approaches for Medical Device and Healthcare Cybersecurity” co-sponsored by the Food and Drug Administration (FDA), Department of Health and Human Services (HHS), and the Department of Homeland Security (DHS). The workshop comes during a busy month for medical device cybersecurity, with the FDA issuing final guidance earlier this month and DHS indicating that it is reviewing dozens of potential cybersecurity vulnerabilities in medical devices.
The following themes emerged during the workshop:
- Cybersecurity Information Sharing. Many participants recognized the value of information sharing to share not only information about known risks (as currently occurs via the NH-ISAC), but also enable a critical new mindset: systems thinking. Kevin McDonald (Director of Clinical Information Security, Mayo Clinic) and others emphasized that in an environment of such staggering complexity, each participant must be able to think not only of one element, but also the cohesive whole. Carlos Kizee (DHS Office of Cybersecurity and Communications representative) volunteered that one way to operationalize this mindset is to enable integrators: those actors in the health care system who identify the desired outcome, recognize how to inspire trust between partners, and translate intermediate requirements into focused action.
- Cybersecurity Framework. Kevin Stine (Manager of the Security Outreach & Integration Group, NIST) introduced the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), designed to establish a common cybersecurity language for organizations of all sizes and purposes. Participants recognized that a common language should be used not only to enable security professionals to communicate with each other, but also and perhaps more importantly to communicate across the entire network of stakeholders, from patients to corporate executives. In this spirit, the FDA guidance cited above was revised to be structured using the NIST model.
- Securing Legacy Devices. Legacy devices—those already in use in hospitals around the country—are a significant part of the cybersecurity challenge. Many have been in operation for 10–15 years since release, illustrating a defining tension in medical device procurement: while the innovation race accelerates, cost constraints continue to prevail. Next-generation devices often have security safeguards designed in, but securing legacy devices presents a different kind of challenge. Participants noted this challenge can be tackled by beginning with an inventory of critical assets and then prioritizing the most critical threats among them.
- Be Proactive, not Reactive. Hospitals and their staff are resilient but largely reactive; it is the natural mindset of an institution designed to respond to crisis. Mary Logan (President, Association for the Advancement of Medical Instrumentation) emphasized that proactive thinking is critical to effective cybersecurity. To achieve a system of secure organized complexity, the health care industry should begin by recognizing that devices must be designed with the culture and workflow patterns of hospitals in mind.
Echoing the workshop’s spirit of productive collaboration, Brian Fitzgerald (Deputy Director of the Division of Electrical and Software Engineering, FDA) concluded by saying that the FDA’s short-term goal is to understand how each of the gears in this complex ecosystem interact. In the long term, he hopes that the community can make medical devices the most secure systems in the health care environment.
During the workshop, Reuters reported that the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is reviewing roughly two dozen suspected cybersecurity vulnerabilities in medical devices and hospital equipment. There have been no known attacks and DHS review does not imply any wrongdoing, but the reviews underscore the significance of addressing medical device cybersecurity.
The workshop also follows the FDA’s October 2 release of final guidance on the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Though non-binding, the guidance identifies cybersecurity issues that device manufacturers should consider in the design and development of their devices, and encourages manufacturers to use the Cybersecurity Framework to guide their cybersecurity activities.
The conference agenda is available here. Links to the webcast recordings will be posted on the same page shortly.
The FDA will hold a webinar Q&A on the new FDA premarket cybersecurity guidance on October 29 at 2:00 p.m. Eastern. More information is available here.