With an early eye on pediatrics and a specialty in burn-victim surgery, the Food & Drug Administration’s (FDA) Dr. Suzanne Schwartz, Director of Strategic Partnerships & Technology Innovation at the Center for Diseases and Radiological Health (CDRH) didn’t foresee that she’d be such an important champion for medical device cybersecurity.
Toward the beginning of Dr. Schwartz’s tenure at the FDA in 2012, her role was Director Emergency Preparedness/ Operations and Medical Countermeasures, focusing on ensuring that the country was ready for any kind of sudden nationwide emergency. “Our responsibility was to assure that the FDA and CDRH specifically were prepared to take on different types of hazards, whether they are physical or natural hazards or other types of events that may manifest as public health emergencies.”
At the time, that emergency presented itself in the form of poor product security in existing medical devices, which stood to tamper with patient data and interrupt medical facility operations. While patient health was paramount in the design of emerging medical devices, cybersecurity was not.
Mapping the medical device cybersecurity playing field
Hospitals have been under attack via ransomware for years, with unsecured IoT devices acting as a hacker gateway into a hospital network.
As early as 2012, the FDA saw demonstrations of catastrophic simulations against medical facilities that could be carried out using existing technologies. These white-hat hackers demonstrated how one bad actor could penetrate clinical care facilities on an administrative or patient level. There came a point that Dr. Schwartz’s team had “seen a fair amount of proof of concepts with respect to how an impact on a medical device can certainly affect its function in ways that either it doesn’t function at all or it functions inappropriately. That has the potential to be lethal at the worst, or at least damaging to patients,” said Dr. Schwartz. “So, we had to face reality. As has always been the case, we’re not waiting for that first death or injury to occur in order to take action.”
Over the next year, Dr. Schwartz compiled a team of specialists and built a foundational cybersecurity approach based on industry leaders who understand the full scope of the challenge that lay ahead. At first, this meant being reactive to every new incident that came. After a short time, the FDA was able to be more proactive, creating new guidelines on what cybersecurity practices should be followed before presenting a device for FDA approval.
Dr. Schwartz explained, “Our team moved into a position that was more proactive in terms of defining and identifying the policies and the expectations that the FDA would have in order to better secure medical devices through their lifecycle.”
Creating and upholding regulations
Earlier this year, the FDA released their guidelines for Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.
According to Dr. Schwartz, this is intended to be a living document, updating the original pre-market guidelines to meet the evolving market. To see how much had changed with regards to the market and FDA requirements, the original 2013 guidelines was nine pages long. In contrast, the latest guidelines are 40. Yet, underneath these 40 pages are three common themes. They are:
First and foremost, patients must have trust in the medical devices that are assigned to them. One way for the FDA to ensure that all devices are secure, which by default gives patients confidence that they are secure, was by guiding companies on how to identify threats and mitigate potential vulnerabilities before submitting them for FDA pre-market approval.
“We have done a fair amount of work on threat modeling, including working with partners to release a playbook that provides some examples of how to walk through that process and that the expectation would be that threat modeling needs to be incorporated within the pre-market submission.”
Considering what’s at stake, it is critical that no unauthorized users can enter a device and that is for manufacturer’s to test before submitting their device to the FDA.
When a family, friend, or any patient is in need of medical care, trustworthiness must be supported with transparency.
To achieve this, SBOMs must be generated so the company and the FDA can understand which software components exist within the device, if any of them are vulnerable, and how to ensure cybersecurity throughout the product’s full life cycle. This allows for patients to request relevant information about the device they are using while also giving critical data to development, as well as cybersecurity teams, regarding what worked, what didn’t, and how to better secure devices in the future.
At the heart of the legacy challenge are allowing for devices to be used in the field for 5,10, or even 20 years. While devices today can be programmed for remote updates and security patches, legacy devices risk becoming ‘bricked’ or becoming inoperable following an update.
“[Resilience] really gets at the heart of the legacy challenge that we face today. With so many devices on the market, in spite of being able to identify vulnerabilities in them, they can’t be patched,” said Dr. Schwartz regarding what we can learn from the past. “They should be updateable and they should be able to perform in the way that they were intended while receiving updates and fixes in real time.“
The hard truth is that new vulnerabilities will continue to threaten devices throughout their lifecycle. That’s why full-scope plans were developed in collaboration with the National Telecommunications and Information Administration (NTIA), CISA, and others. This helped draw a direct link between cybersecurity and safety, providing a firm answer to why the FDA was successfully driving incremental change throughout the medical device space.
Like the development of new guidelines, securing devices and their supply chain demands a community approach. It is a challenge that can be overcome as long as the right stakeholders are brought together to collaborate for the greater good of the industry. This includes seeing what was done upstream and conducting due diligence on vendors.
Collaborating to boost medical device cybersecurity
Whether a leading device maker or a new entrant into the field, teams must become comfortable working together to tackle key cybersecurity challenges.
Startups should be able to go to legacy device makers to see how challenges were handled while at the same time, enterprises should be able to call upon startups’ nimble creativity to address emerging threats.
Public private partnerships stand to boost the entire healthcare sector. One example of this is the coordinated council under the Department of Health and Human Services Public Private Partnership for Critical Infrastructure, which includes medical companies.
Ultimately, focusing on medical facility needs and an unwavering commitment to patient security will bolster trustworthiness for all patients who are up against a new world of emerging cybersecurity threats.