FDA Proposes Action to Enhance Medical Device CybersecurityAgency Seeks Congressional Authority to Require Makers to Take Certain Steps
The Food and Drug Administration has issued plans - some of which will require Congressional approval - for enhancing the safety of medical devices. Those include several proposals for advancing cybersecurity, including imposing new requirements on device manufacturers.
Some experts say the FDA's plans are a good move, given the current device risk environment, but they warn that some proposals could prove difficult to achieve.
The FDA is seeking "additional authorities and funding for Congress to consider, which would build on [FDA's] work to date and further minimize medical device cybersecurity vulnerabilities and exploits," Scott Gottlieb, M.D., FDA commissioner, says in a statement.
"Although medical devices provide great benefits to patients, they also present risks. With FDA's plan, we are focusing equal attention on advancing new frameworks for identifying risks and protecting consumers," he says.
"In recent years FDA, manufacturers and healthcare entities have made tremendous strides to improve the cybersecurity of medical devices. However, all stakeholders, including FDA, must strive to keep pace with emerging threats and vulnerabilities."
The FDA, in a statement to Information Security Media Group, notes: "For all aspects of the Medical Device Safety Action Plan, the agency will leverage existing authorities whenever possible and identify funding to meet our goals. [But] with regard to the cybersecurity proposals, the FDA plans to consider seeking new authorities [from Congress] related to pre-market submissions and post-market authorities."
The FDA's overall plan for enhancing medical device safety and innovation focuses on five key areas. In addition to advancing medical device cybersecurity, the other components are:
- Establish a robust medical device patient safety net;
- Explore regulatory options to streamline and modernize timely implementation of post-market mitigations;
- Spur innovation toward safer medical devices;
- Integrate the FDA's Center for Devices and Radiological Health's pre-market and post-market offices and activities to advance the use of a "total product life cycle" approach to device safety.
Specific FDA proposals for advancing medical device cybersecurity include the agency seeking authority for issuing potential new requirements on device manufacturers.
The FDA's current pre-market and post-market cybersecurity guidance documents generally "recommend" medical device makers take a number of steps to address the cybersecurity of their product, including patch management. The guidance, however is non-binding.
The agency's new proposal includes "potential new pre-market authorities" requiring firms build the capability to update and patch device security into a product's design and to provide appropriate data regarding this capability to the FDA as part of the device's pre-market submission, the agency says.
Also, the FDA is considering requiring that medical device firms develop a "software bill of materials" that must be provided to the agency as part of a pre-market submission and also made available to medical device customers and users. This would help the firms better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities, the agency says.
"In addition, availability of a 'software bill of materials' will enable streamlining of timely post-market mitigations," the FDA notes.
While the FDA has in recent years issued cybersecurity guidance for the pre- and post-market of medical devices, the agency is proposing updates.
That includes the agency updating its pre-market guidance on medical device cybersecurity "to better protect against moderate risks - such as ransomware campaigns that could disrupt clinical operations and delay patient care - and major risks - such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack," the agency's plan notes.
An FDA spokeswoman tells ISMG that the agency "will update the pre-market cybersecurity guidance, but we do not have a timeline to share on that."
In addition, the FDA says it's also considering new post-market authority to require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified.
New Cyber Safety Board
Besides those proposals, the FDA says it is exploring the development of a CyberMed Safety Expert Analysis Board. "The CYMSAB would be a public-private partnership that would complement existing device vulnerability coordination and response mechanisms and serve as a resource for device makers and FDA," the agency says.
"The CYMSAB would encompass a broad range of expertise - including hardware, software, networking, biomedical engineering and clinical - in order to integrate critical patient safety and clinical environment dimensions into the assessment and validation of high-risk/high-impact device vulnerabilities and incidents."
The group's functions would include "assessing vulnerabilities, evaluating patient safety risks, adjudicating disputes, assessing proposed mitigations, serving in a consultative role to organizations navigating the coordinated disclosure process, and serving as a 'go-team' that could be deployed in the field to investigate a suspected or confirmed device compromise at a manufacturer's or FDA's request," FDA says.
President Trump's fiscal 2019 budget "includes a proposal to expand the digital technology industry, which would include funding to support creation of the CYMSAB," the FDA spokeswoman says.
Moving in Right Direction?
Some security experts say that the FDA's intensifying focus on medical device cybersecurity issues is critically important to patient safety.
"The good news is many device manufacturers have woken up and are actively implementing strong cybersecurity practices," says medical device cybersecurity researcher Billy Rios. "Unfortunately, there are still a handful of manufacturers who refuse to move forward. I hope the establishment of [the proposed] safety analysis board will help the FDA cut through the stall tactics we've seen some manufacturers use in the past," he says.
"FDA is moving carefully and deliberately in the right direction," says Ben Ransford, co-founder and CEO at Virta Labs, a healthcare cybersecurity firm.
"Devices shouldn't be mystery meat on hospital networks, and manufacturers must be willing and able to cooperate with security researchers acting in good faith."
— Ben Ransford, CEO at Virta Labs
"As a firm that grapples with [medical] devices once they're out in the field, we're very happy with FDA's proposals," he says. "Devices shouldn't be mystery meat on hospital networks, and manufacturers must be willing and able to cooperate with security researchers acting in good faith."
Bill Aerts, deputy director of the Archimedes Center for Medical Device Security at the University of Michigan, calls the FDA's plan "another positive step" in the effort to improve device security. "Healthcare still has much work to do to make all of the improvements needed."
Aerts says that the proposals could have a positive impact. "Most of them are not surprising based on what the FDA has been saying and what many of the leading device manufacturers are working on," he says.
Ransford says the FDA proposal with the greatest impact will be a requirement that manufacturers improve patching. "Healthcare providers tell us they feel their hands are tied when it comes to patching most devices," he says.
"The jury is still out" on the software bill of materials proposal, Ransford says. "On the one hand, it's good to know what's inside a device. But on the other hand, knowledge is only half the battle for providers, and manufacturers will struggle to keep those lists up to date."
As for the proposal to launch a CYMSAB, it's "a great idea provided it can remain neutral," Ransford says. "FDA's involvement can equip this panel with a stick for cases in which the guidance carrots don't work."
Aerts is less certain, however, about the viability of the CYMSAB proposal.
"While it is a promising idea, I think the CYMSAB could be the most difficult challenge, as it can be difficult to assemble a group of true experts in the field and manage and communicate the information. And without taking proper care, the board could be received by manufacturers as an intrusion into their product development."