FDA offers insight on postmarket medical device cybersecurity management
January 16, 2017
by Christina Hwang, Contributing Reporter
With more and more medical devices operating in the IT spectrum, the FDA is urging stakeholders in the health care industry to safeguard devices by assessing how it functions — and weighing the clinical risks associated with hacking.
In a webinar entitled Postmarket Management of Cybersecurity in Medical Devices – Final Guidance, FDA experts discussed how to establish and communicate vulnerability intake and handling, and how to engage in information sharing for cyber vulnerabilities and threats.
“Connected medical devices, like all other computer systems, incorporate software that is vulnerable to threats,” said Dr. Suzanne Schwartz, associate director for sciences and strategic partnerships in the FDA's Center for Devices and Radiological Health. “When medical device vulnerabilities are not addressed and remediated, they can serve as points of entry into a hospital and health care network.”
Of course, the recent uptick in health care cyber attacks have been well documented. From device vulnerabilities to patient data infiltration, the industry as a whole seems to have become an increasingly desirable target for hackers.
“This can lead to compromise of data confidentiality, integrity and availability. Worse yet, it can introduce basic concerns to the patients who rely on the effective use of these devices, whether in the hospital, at the bedside, at home, or implanted,” she said.
Some key principals of postmarket management include using a risk-based framework so that risks are addressed in a timely and orderly fashion. The FDA also stressed that stakeholders should continue collaborating in order to share information and risk assessments.
In the following image, provided by Dr. Seth Carmody, FDA cybersecurity project manager, postmarket cybersecurity risk is assessed in terms of exploiting a vulnerability and the severity of patient harm if the vulnerability is exploited.
“The manufacturer must assess whether the risk of patient harm is controlled or uncontrolled. With respect to the y-axis, exploitability, the suggested approach is to use the common vulnerability scoring system,” Carmody said.
The common vulnerability scoring system (CVSS) is broken down into three main parts: base scoring (risk factors of the vulnerability), temporal scoring (risk factors that change over time), and modified base scoring (what the organization controls and can be assessed by the manufacturer).
“With respect to the x-axis, manufacturers should already have processed the severity of impact of the effect on the patient,” said Carmody. “The severity of patient harm increases from minor and temporary to requiring medical intervention, as well as death.”
For a controlled risk, Carmody gave an example of a researcher who publicly disclosed a code for a four year old vulnerability though which an unauthorized user can view a patient’s health information in a database but can’t edit or manipulate the information. The manufacturer determines that this is a controlled risk and notifies its customers of the problem, then documents the effectiveness of the cybersecurity update.
A situation is uncontrolled when, in the postmarket stage, the manufacturer discovers a vulnerability that has yet to be exploited. However, the vulnerability introduced a “failure mode” that can change the way the device functions. Even though no one has yet been harmed, the device does not reduce the risk of patient harm to an acceptable level and is therefore uncontrolled.
If there is an uncontrolled risk factor, within 30 days, the manufacturer has to notify the stakeholders and tell them to disconnect the device from the hospital’s network. Within 60 days, the manufacturer has to distribute a patch to mitigate the problem.
In order to become a member of an Information Sharing and Analysis Organization (ISAO), a manufacturer has to share any vulnerabilities and threats that could impact medical devices, including any customer concerns regarding cybersecurity vulnerabilities.
The manufacturer also has to document the steps it took to assess and respond to the vulnerability. If the manufacturer is part of an ISAO, it can minimize exploits by having risk control measures in place, which can include communicating with patients and users.
In a webinar entitled Postmarket Management of Cybersecurity in Medical Devices – Final Guidance, FDA experts discussed how to establish and communicate vulnerability intake and handling, and how to engage in information sharing for cyber vulnerabilities and threats.
“Connected medical devices, like all other computer systems, incorporate software that is vulnerable to threats,” said Dr. Suzanne Schwartz, associate director for sciences and strategic partnerships in the FDA's Center for Devices and Radiological Health. “When medical device vulnerabilities are not addressed and remediated, they can serve as points of entry into a hospital and health care network.”
Of course, the recent uptick in health care cyber attacks have been well documented. From device vulnerabilities to patient data infiltration, the industry as a whole seems to have become an increasingly desirable target for hackers.
“This can lead to compromise of data confidentiality, integrity and availability. Worse yet, it can introduce basic concerns to the patients who rely on the effective use of these devices, whether in the hospital, at the bedside, at home, or implanted,” she said.
Some key principals of postmarket management include using a risk-based framework so that risks are addressed in a timely and orderly fashion. The FDA also stressed that stakeholders should continue collaborating in order to share information and risk assessments.
In the following image, provided by Dr. Seth Carmody, FDA cybersecurity project manager, postmarket cybersecurity risk is assessed in terms of exploiting a vulnerability and the severity of patient harm if the vulnerability is exploited.
Courtesy: FDA
“The manufacturer must assess whether the risk of patient harm is controlled or uncontrolled. With respect to the y-axis, exploitability, the suggested approach is to use the common vulnerability scoring system,” Carmody said.
The common vulnerability scoring system (CVSS) is broken down into three main parts: base scoring (risk factors of the vulnerability), temporal scoring (risk factors that change over time), and modified base scoring (what the organization controls and can be assessed by the manufacturer).
“With respect to the x-axis, manufacturers should already have processed the severity of impact of the effect on the patient,” said Carmody. “The severity of patient harm increases from minor and temporary to requiring medical intervention, as well as death.”
For a controlled risk, Carmody gave an example of a researcher who publicly disclosed a code for a four year old vulnerability though which an unauthorized user can view a patient’s health information in a database but can’t edit or manipulate the information. The manufacturer determines that this is a controlled risk and notifies its customers of the problem, then documents the effectiveness of the cybersecurity update.
A situation is uncontrolled when, in the postmarket stage, the manufacturer discovers a vulnerability that has yet to be exploited. However, the vulnerability introduced a “failure mode” that can change the way the device functions. Even though no one has yet been harmed, the device does not reduce the risk of patient harm to an acceptable level and is therefore uncontrolled.
If there is an uncontrolled risk factor, within 30 days, the manufacturer has to notify the stakeholders and tell them to disconnect the device from the hospital’s network. Within 60 days, the manufacturer has to distribute a patch to mitigate the problem.
In order to become a member of an Information Sharing and Analysis Organization (ISAO), a manufacturer has to share any vulnerabilities and threats that could impact medical devices, including any customer concerns regarding cybersecurity vulnerabilities.
The manufacturer also has to document the steps it took to assess and respond to the vulnerability. If the manufacturer is part of an ISAO, it can minimize exploits by having risk control measures in place, which can include communicating with patients and users.