New premarket requirements emblematic of FDA’s long-view approach to cybersecurity

At today's Healthcare Security Forum in Boston, FDA's Dr. Suzanne Schwartz revealed that patchability forensic data capture will be key components of the agency's soon-to-be-released premarket guidance for medical device cybersecurity.
By Dave Muoio

In April of this year, the to improve medical device safety that included a clear focus to reduce cybersecurity existing vulnerabilities and promote strong practices for future devices.

Since then the agency hasn’t dragged its feet — earlier this month FDA Commissioner Dr. Scott Gottlieb released a lengthy statement announcing the release of a cybersecurity incident playbook and detailing a range of public-private cybersecurity partnerships. Also included in the post was news that the FDA would be releasing an updated version of its for medical device cybersecurity.

This morning during a panel at the Healthcare Security Forum in Boston, Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA, gave a few hints on how the new guidance will help device manufacturers address the shifting landscape of medical device cybersecurity.

“With respect to cybersecurity … we’re not going to be static,” Schwartz said this morning at the event. “This is an area that’s evolving: the threats are evolving, our understanding of the landscape is evolving, and for that we cannot be static. We have to be dynamic, we have to be able to move in a more agile way, we need to be able to also, therefore, provide the appropriate guidance, recommendations and expectations of our regulated industry, medical device manufacturers, what they need to be doing to further enhance the posture of medical devices.”

Avoiding mistakes of the past

The decision to create a new guidance document — which Schwartz said will be released in draft form before the end of the month — was largely driven by a newfound understanding of just how damaging a targeted attack could be, she said.

“It really builds upon the principles [of the 2014 guidance], but it provides a lot more granularity. It’s a much deeper dive, and it’s really informed by what we’ve seen over the past few years … [with] attacks such as WannaCry or on Hollywood Presbyterian,” she said. “The notion that the clinical operations within an organization can be disrupted, and how that cascading effect results in the potential for patient injury or patient safety being at risk, those are concerns that we felt was going to be critical to address in the premarket updated guidance.”

Part of the issue many hospitals face is an inventory of devices without any capacity for software-based security improvements, she said. As such, the agency saw a need to clamp down on device makers to ensure that future devices are engineered with the ability to adapt to new risks.

“One of the primary principles that became important for us to introduce into the premarket guidance … is the concept of devices being patchable and updatable throughout their total product lifecycle,” she explained. “We’ve seen a lot of the hardship, and the challenges that medical centers have provided back to us [is that during] their interactions with health manufacturers, they’ve been told ‘well, this device is no longer patchable,’ or ‘It’s end of life,’ or ‘We cannot do anything about it.’ So, new devices going onto the market [will] provide the FDA as part of the submission process and review … evidence data to support the patchability and supportability of those devices.”

Requiring patchable devices is an important step, but a large part of the issue is that when there is a breach, most hospitals and manufacturers will wipe the device, replace it and move on, Dr. Christian Dameff, an emergency medicine physician from UCSD who describes himself as a long-time hacker, said during the event.

“I get the question all the time: Show me someone who’s died. Show me someone who has been impacted and I will care. … And I say to them, explain to me how you’d even know if something happened. They assume that they have processes in place that would be able to detect something like this, but when you really dive into it they don’t,” Dameff said on stage. “You would imagine [the device manufacturer] has a robust set of forensic analysis, etc., but for the most part the ones I talk to don’t. And quite frankly they have little incentive to. I’m not saying that device manufacturers do this willingly — I’m just saying that there are not robust processes in place for us to find these infections.”

As such, Schwartz said that forensic evidence capture is encouraged by the FDA and will be primary element of the upcoming premarket guidance draft for manufacturers.

“We know that many medical devices in existence at present … whether or not there has been some kind of tampering with that device from a security standpoint would be very hard to discern. But this is a key principle that we [will] be looking for in respect to design of new devices, she said.”

‘They need guidance’

Alongside teases for the upcoming guidance, this morning’s panel included a conversation on the merits of FDA’s recently released cybersecurity playbook. And much like the agency’s guidance for manufacturers, Schwartz said that the document was written to support those working in the dark.

“We’ve recognized over a few years that, with respect to hospitals’ preparedness and response capabilities for a cyber incident or an attack that involves medical devices, that there really is a gap,” she said. “When we have spoken with, whether it’s clinicians, whether it’s biomed engineers, whether it’s IT staff, CISOs, there really isn’t a sense of what it is we need to do in regard to protecting our patients and making sure that our continuity of care is not disrupted and our devices are performing as they should.”

Since the playbook has now been available to the public for a few weeks, Dr. Ramnik Dhaliwal, an emergency room physician with Colorado Permanente Medical Group and the cofounder of healthcare cybersecurity firm Inoculum, was confident in his support for the agency’s latest effort.

“I think the playbook, actually, is an amazing first step,” Dhaliwal said during the panel. “Healthcare delivery organizations, representatives out here in the audience, you need to be thinking about what are your processes in place to identify this, because it’s not a problem that’s going to go away.”

Dameff shared a similar enthusiasm for the document’s intent and execution, and will prove especially useful to organizations without the means to shape a substantial cybersecurity strategy on their own. However, he said the true value of this document and the FDA’s other cybersecurity initiatives will most likely come with time and iteration.

“[Providers] need guidance, they need help, they need to reduce the barriers to them being able to make some change and improve the security posture of the hospital,” Dameff said. “Undoubtedly that’s going to mature, and I think that needs to be a document that is broad enough to be applicable to many different practice environments, but we’ll learn a lot along the way once that gets applied about the specifics, lessons learned. Upon revision, I imagine we’ll have something that’s eventually really a fantastic document that’s the standard.”