- Nearly a year after FDA released its Medical Device Safety Action Plan, medical device cybersecurity remained a hot topic at HIMSS 2019 as the sector grapples with FDA's draft guidance and develops feedback for the agency.
- The key, according to Suzanne Schwartz, FDA associate director for science and strategic partnerships at its device center, is to ensure new medical devices entering the marketplace can be updated throughout a device's total life cycle and potentially require firms to build a software bill of materials.
- Experts called attention to the need for health systems to have a better understanding of the devices in their inventory and a game plan to respond to cyberattacks when they occur.
The WannaCry attack highlighted the need for hospitals to have a better understanding of medical devices in their inventory in order to better be equipped to respond to cyberattacks, according to Juuso Leinonen, a senior project engineer at the ECRI Institute.
Such an effort aligns with FDA's efforts to call for new authorities to require manufacturers to build in the ability to patch and build in security updates into the development of medical devices.
"We cannot be in this position that new devices that go on the market don't have inherent within them the ability to be patched and updated throughout their use lifetime," Schwartz said at a HIMSS panel. "There could be a necessity to actually have that be an additional authority required on the premarket side."
Schwartz highlighted one effort to engage with an International Medical Device Regulators Forum work group led by FDA and Health Canada working on consensus principles for medical device cybersecurity. The goal for the group is to develop a guidance for multiple regulatory bodies covering best practices from the beginning to end of the lifecycle for devices.
The effort comes as more medical device cybersecurity advisories are being reported by groups like ICS-CERT. Chad Waters, a senior cybersecurity engineer at the ECRI Institute, noted at another HIMSS panel that despite the uptick in advisories, there are likely more not being reported.
"Last year there were 30 medical device related advisories from 14 different medical device vendors. There are a lot more vendors out there so there are a lot of vulnerabilities out there that are not being disclosed," Waters said.
Schwartz is concerned the companies coming forward to disclose vulnerabilities are being unfairly punished for being proactive in communicating to the public, noting they are often slammed by a negative press cycle.
"We really need to flip that narrative. Actually, those industries, those manufacturers represent the most mature of organizations. That's what we want to see everybody doing. That sharing of information, that transparency around disclosure of vulnerabilities," Schwartz said.
No matter what steps organizations take to mitigate risk, it will always be present, according to Schwartz.
"There should not be an expectation that a medical device has no risk and no vulnerability associated with it. The key is to be able to assess what the risk is — the key is to be able to identify and assess that vulnerability for its severity of impact and its exploit-ability," Schwartz said.
One step Leinonen said more health systems should consider taking is appointing a medical device cybersecurity point person to serve as a liaison between engineers and IT employees often tasked with tackling cybersecurity issues.
Another step he recommends is developing standard processes for organizations to implement when vulnerabilities become known but a security patch for a device is not yet available.
"Medical device cybersecurity alerts are likely to become more and more of a headache for organizations to effectively respond and deal with them," Leinonen said.