Contributions to this post were made by Computing Community Consortium (CCC) Council Member Kevin Fu, Associate Professor at the University of Michigan. Kevin also co-founded Virta Labs, a healthcare cybersecurity company.
A growing number of medical devices are designed to be networked to facilitate patient care. However, as we have seen, networked medical devices and hospital records incorporate software that make them vulnerable to cybersecurity threats. Proactively addressing cybersecurity risks in hospitals reduces the patient safety impact and the overall risk to public health.
On January 22, 2016, the Food and Drug Administration (FDA) released a draft document to inform industry and FDA staff on recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. This document clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.
The FDA asked the research community to submit comments and suggestions regarding this draft document. Kevin Fu, whose recent research explores problems that impact the trustworthiness of medical device software, submitted a letter in response to the FDA request for comments on this topic.
Fu’s major recommendation pertains to language choice when describing postmarket risks so as to monitor for postmarket problems without falling victim to the streetlight effect. While network-based threats are a significant part of the problem, it’s just one of many postmarket problems. There’s a reason we don’t write guidance on how to avoid flu by sneeze, then write a different guidance document on how to avoid flu by cough. By focusing instead on exposure to cybersecurity risk, the industry can better prepare for shifting threats whether it be by network, USB drive, telephone social engineering, or whatever fancy technology next comes out of Silicon Valley. To ensure that the postmarket guidance can remain relevant as technology and threats change, focus on overarching exposure rather than streetlight modalities.
Fu also advises manufacturers and HDOs to follow the NIST cybersecurity guidance for critical infrastructure. For example, (1) enumerate cybersecurity risks because deploying technology without understanding risk is counterproductive; (2) deploy cybersecurity controls that match the specific risks; and (3) continuously measure the effectiveness of the security controls because threats, vulnerabilities, and misconfigurations can bypass a previously effective control within seconds. For instance, if you just look for threats against your core reactor, you might forget about your thermal oscillator.
You can follow Kevin on Twitter @DrKevinFu or read his blog on medical device security and safety.