- It is no surprise that the healthcare industry is facing increasing cybersecurity threats, and the increase in connected devices is all the more reason why covered entities need to ensure that their medical device cybersecurity measures are current and comprehensive.
The Food and Drug Administration (FDA) recently ended the comment period on its “Post-market Management of Cybersecurity in Medical Devices” draft. While there are important takeaways for both device manufacturers as well as providers, there is still a long ways to go, according to CynergisTek, Inc. co-founder and CEO Mac McMillan.
If people will follow the draft guidance, it represents basic common-sense principles for engineering or developing new devices, according to McMillan. Moreover, it represents the principles for deploying those devices in a safe and secure manner.
The FDA was careful to not go too far in terms of being too prescriptive, so as to not unduly affect innovation by the manufacturers, he added.
“But, [the FDA] at least addressed the basic components of what we need [the manufacturers] to do today to send off a lot of the issues that are out there, and make these devices more secure, not just with respect to the people that they're attached to, but the networks that they're attached to as well,” McMillan explained.
Ensuring that there are up-to-date serviceable operating systems, that security patches are deployed when called for, and being able to audit access to those devices are all key things that device manufacturers must be aware of. Additionally, it could be beneficial to be able to encrypt the communications between the device and the backend, or the network, he stated.
Stacy Taylor, counsel at DLA Piper, explained that the FDA draft guidance focuses on what the manufacturers should be doing, or have to do. Moreover, there is an effort to try and incentivize manufacturers to work more closely with other stakeholders.
“They’re really encouraging them to work together, even component manufacturers, and software designers whose work isn’t necessarily regulated, explained Taylor, who also co-chairs DLA Piper's Medical Device Industry Working group. “Even though the focus is on the manufacturers, it clearly is intended to bring everybody into the fold to make sure these guidance recommendations are met.”
The idea that all these different stakeholders are talking to each other can be greatly beneficial, she stated. For example, a healthcare system can tell a device manufacturer, ‘This is what we need, this is what we see going wrong in the system, these are our abilities against a cybersecurity threat based on circumstances of our facility and our settings.’
From there, a better device can be created. The more that the manufacturer can comply with the spirit of this guidance will help both sides.
“My biggest issue with it still is that it’s just guidance,” McMillan maintained. “At the end of the day, as well intentioned as all of it is, the manufacturers still don’t have to listen to it.”
The manufacturers can still produce a device that is fundamentally insecure, but if it doesn’t present a safety issue, then it will get approved by the FDA, he cautioned. There is no accountability.
“If we really want to make a change in the industry with respect to medical devices, we need a hard‑and‑fast standard that is part of the accreditation process for the device,” according to McMillan. “In other words, if it's not on a current operating system, it can't get approved. If it can't be patched, or fixed, or if it can't manage access or encrypt the communication, then it doesn't get approved.”
McMillan stated that there are certain manufacturers out there right now that are doing a very good job in putting better devices out there, and are making investments in security around their devices.
However, there are thousands of medical device manufacturers out there, he warned. All of them need to take the time to ensure that their devices are properly secured.
Why regular updates may be beneficial
While McMillan said he hopes the guidance would be regularly updated, as the cybersecurity threats evolve, there would need to be an ongoing mechanism for that process.
“I would like to think that they would revisit that guidance periodically,” he said. “And it would have to be almost annually, because the way security works today, every six months there's something new out there that we have to account for. If you're just not constantly on top of it, you're going to always be behind.”
Taylor explained that the guidance is not creating a new class of regulated products, or even reclassifying any products that have already been regulated. This is not the broad, sweeping impact that the FDA is sometimes known for, she said.
“It’s part of an overall effort by the US to focus on cybersecurity threats to critical infrastructure,” Taylor stated. “Life sciences is just part of that infrastructure. This is in some ways, a relatively moderate step forward, if the guidance comes out pretty much as we’ve seen it in the draft guidance.”
Furthermore, this guidance is aimed at software designers, or medical devices with a software component, she added. These organizations are already regulated, and are accustomed to the quality system that is a big target of this guidance.
“This is really more of a tweak to the system than it is a sweeping overhaul,” she maintained.
Recent hearing discusses healthcare cybersecurity issues
Last month, the House Energy and Commerce Subcommittee held a hearing on the future of healthcare cybersecurity, and what the Department of Health and Human Services (HHS) role should be.
While the hearing touched on numerous issues, along with the potential CISO role at HHS, MacMillan said that an interesting aspect was that almost all of the members of Congress that sit on that committee, attended the session and asked questions.
Typically, there are some who are “kind of interested” in the issue, he explained, but the whole committee is not always involved. However, McMillan said he was “fairly impressed with the fact that almost every committee member was there and almost every single one of them took all five minutes of their time to ask questions.”
There were questions about medical devices and how large of a concern this area is, he stated. This is an issue they care about and one that they are interested in.
The hearing also focused on the HHS Data Protection Act (H.R. 5068), which would establish the office of the Chief Information Security Officer (CISO) at HHS, and that the CISO would be a peer to the Chief Information Officer (CIO), rather than reporting to the CIO.
Unseen medical device cybersecurity threats
Taylor also called to the importance of how the draft guidance discusses how cybersecurity risks cannot be mitigated solely through premarket controls.
“The idea of this guidance is that cybersecurity threats can be thought of and addressed while the device is being designed, but they won’t really come up after the device is on the market,” she explained. “And it’s a moving target. It requires a certain amount of education by the manufacturers to stay on top of what’s happening with their devices and develop ways to address it.”
The guidance incentivizes them to do that fairly quickly. If the manufacturers have a touch stone where they’ve self-defined what the essential clinical performance of the device is, then they have a way to evaluate whether a particularly new cybersecurity threat could affect that essential clinical performance.
If it does, there’s a very specific thing they should be doing, Tayor said. Reports then have to be made to the Agency in order to keep everyone in the loop about what those threats are and how they’re being handled.
Some concerns have been raised over medical devices being connected to a network, or to other devices, when they were not originally meant to do so. This can create security issues because the device in question was never designed for such use.
“There's a lot of things that when you engineer a device, build a device, there are different approaches to doing different things,” McMillan explained. “Depending on how the person developing it does those things, they're almost impossible to reverse engineer. Then, trying to get them to work in an acceptable manner and a secure environment, it's just impossible.”
Overall, McMillan urged providers to be aware before they invest in a product, and to do their due diligence in the device selection process.
“The providers can make a difference here, but it's only if they take the [FDA draft] guidance, and incorporate that guidance into their RFP and solicitation process, and make that guidance a hard requirement for procurement of whatever solution they're going to buy,” he stated. “Then, the vendors who try to sell to them would have to prove that they have met those requirements.”
If the process is just left up to the vendors, McMillan said not all of them may know that the guidance exists.
Providers will be helping themselves by becoming familiar with the draft guidance, and make it part of their selection criteria. Any company that wants to sell them a device would then need to demonstrate that they have met the draft guidance itself.
Even so, McMillan explained that this is not an issue that healthcare providers should have to be facing in the first place.
“We shouldn't be forcing the consumer to fix this,” he maintained. “We shouldn't be making it the patient's problem or the hospital's problem to fix this when we have the ability to do it.”