The Food and Drug Administration ("FDA") recently announced that it will be hosting a public workshop on October 21 and 22, 2014, in Arlington, Virginia, entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity."
Officials from FDA, the Department of Health and Human Services ("HHS"), and the Department of Homeland Security ("DHS") will bring together medical device manufacturers, insurers, cybersecurity researchers, trade organizations, government officials, and other stakeholders to discuss the numerous challenges faced in medical device cybersecurity.
CDRH OFFICIAL: BE AWARE OF DEVICE RISKS
On September 23 and 24, 2014, the National Institute of Standards and Technology ("NIST") and the Department of Health and Human Services Office of Civil Rights ("HHS OCR") hosted their annual HIPAA conference "Safeguarding Health Information: Building Assurance through HIPAA Security
In her presentation "Medical Devices: A Practical Guide for Securing Patient Data", Dr. Schwartz, from the FDA Center for Device and Radiological Health, emphasized the need for a collaborative approach in the medical device ecosystem to ensure security. Because most of the millions of hospital discharges, hospital outpatient visits, physician office visits and prescriptions in the US involve networked medical devices, Dr. Schwartz indicated that securing these devices is of the utmost importance for both regulatory and practical purposes.
MEDICAL DEVICES HAVE INHERENT VULNERABILITIES
Dr. Schwartz noted that as medical devices become increasingly connected through wireless and wired networks, it is critical to ensure adequate controls are in place on the network. Computers, wireless and mobile devices, and the medical devices themselves can be infected or disabled with malware. Security vulnerabilities also exist in the form of sharing of passwords, lack of proper training for personnel, and failure to update and patch software on the network.
Several medical devices have already been compromised in the past few years. For example, researchers demonstrated in 2013 that about 300 medical devices from around 40 vendors contained hard-coded passwords, making them highly vulnerable. In 2011, a hacker presented his findings related to his own insulin pump, which could easily be compromised and the pump's levels remotely changed to a lethal dose.
FDA OFFERS STANDARDS, GUIDANCE
FDA has recognized standards for cybersecurity and interoperability as well as wireless technology in medical devices. Additionally, on October 2, FDA released final guidance, on the content of premarket submissions for medical device cybersecurity. Those of you who are familiar with the draft guidance should note that the final guidance is substantially similar to the draft guidance with some additional emphasis on balance, emphasizing that security should not unreasonably limit the ability to use a device in emergency situations.
For those who are not familiar with the draft guidance, the final guidance describes the information that manufacturers should include in their premarket submission. It recommends medical device manufacturers consider the following as part of their cybersecurity activities:
- Identify and protect by limiting access to trusted users and ensuring trusted content;
- Implement features to detect security compromises
- Inform the end user about the appropriate action to take if a security compromise is detected
- Protect critical functions, even in the event of a security compromise
Device stakeholders would do well to review these documents and ensure that they understand the steps they should take to meet these standards and comply with the HIPAA Security Rule.
WHAT STAKEHOLDERS SHOULD DO
There are a number of good steps which can be taken to reduce risk. Properly training all personnel is critical to avoid loss of devices, phishing attacks, and more. Ensuring that software is always the most up-to-date version is an easy and important measure to improve security. Additionally, segregating network functions will ensure that any compromise will not affect the entire universe of networked devices. New devices and software should be thoroughly inspected for potential security vulnerabilities before adding them to the network.
On top of those steps, healthcare entities should conduct regular risk assessments and network security audits. Crafting policies to comply with standards such as ISO-27001, COBIT 5, or the HITRUST Common Security Framework is a must.