7 KEYS TO AVOID MEDICAL DEVICE CYBERSECURITY THREATS
As cyber threats interfering with the U.S. Presidential election gain headlines, a more disturbing undercurrent has emerged within medical devices.
Take the recent story of St. Jude Medical. The Minnesota-based manufacturer is being investigated by the U.S. Food and Drug Administration (FDA) amid claims that their cardiac devices are riddled with defects that make them vulnerable to fatal cybersecurity threats. Medical product security deserves some serious attention. The last thing a startup can afford is an FDA Investigation.
“Medical device vulnerabilities are always going to be there, or there are new ones that are always going to be emerging and evolving.”
– Suzanne Schwartz, Associate Director for Science and Strategic Partnerships, FDA Center for Devices and Radiological Health
Fact is stranger than fiction, indeed. Sometimes is it scarier. In terms of medical products, the latter is increasingly becoming more frequent. Effective cybersecurity controls are the topic du jour of medical device manufacturers. This area is becoming increasingly important as more devices incorporate wireless and internet technologies. When intended to diagnose, cure, mitigate, treat, or prevent disease these risks cannot be taken lightly. The reality is that cyber dangers can affect functionality and safety.
However, technology innovators and visionaries should not be deterred from advancing medical technology. Healthcare systems around the world rely on software only devices, programmable medical devices, and networked medical devices. Their benefit to humanity is too great. Luckily, setting up simple processes to protect against threats is easy. Your reputation among patients, hospitals, physicians, and insurance companies is on the line. Build trust today. Invest in these seven areas to avoid cybersecurity pitfalls:
1. QUALITY SYSTEM
The obvious place to start is to adhere to the FDA’s Quality Systems Regulation (QSR). The QSR contains requirements for all processes affecting devices. These requirements are meant to control the design, manufacture, packaging, labeling, storage, installation and servicing of devices. Specific areas of concern are complaint handling, quality audits, corrective and preventive actions, software validation and risk analysis. In general, cybersecurity risk management programs should address vulnerabilities that may impact patient safety and permit unauthorized access, modification, misuse, denial of use or unauthorized use of information. Since cyber risks are continuous, it is imperative that manufacturers establish a well designed QSR. Early stage companies need to think long and hard about this. The reason being is that there are a myriad of subparts to the regulation. For instance, Subpart C — Design Controls lays out Design Inputs and Verification and Validations requirements, which are two areas where cybersecurity risks should be managed. Overall, cybersecurity risk management should address vulnerabilities that impact patient safety and permit unauthorized access, modification, misuse, denial of use, or unauthorized use of information.
2. DEFINE ESSENTIAL CLINICAL PERFORMANCE
Essential clinical performance, per FDA guidance, is the performance necessary to achieve freedom from unacceptable clinical risk. If essential clinical performance is endangered, then two things may occur. Firstly, there may be harm to the patient, which is bad enough. Other than that, intervention may be necessary to prevent further patient harm. Manufacturers should define essential clinical performance early in their design process. The point is to develop a mitigation strategy against cyber threats, while retaining the ability to respond and recover from such threats. Make sure to identify the severity of different outcomes in the event that your product becomes compromised. The next step is to establish risk acceptance criteria — a scoring system like those utilized in FMEA’s (Failure Mode and Effect Analysis). The net result is that your firm can assess the impact of cybersecurity vulnerabilities, addressing each according to urgency.
3. CYBERSECURITY INFORMATION SHARING
By monitoring the sources of cybersecurity information sources, you can more effectively identify and detect threats. FDA openly encourages makers of medical devices to participate in a cybersecurity Information Sharing Analysis Organization, or ISAO, in order to facilitate sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors. In the eyes of FDA regulators, cyber risks are a shared responsibility.
4. INTAKE AND HANDLING PROCESSES
It is recommended that device manufacturers set-up a procedure for vulnerability intake and handling. One that is consistent and reproducible. Keep in mind the following two FDA definitions:
- Vulnerability: a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited by a threat.
- Threat: any circumstance or event with the potential to adversely impact the essential clinical performance of the device, organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Threats exercise vulnerabilities, which may impact the essential clinical performance of the device.
Luckily, ISO/IEC 30111:2013 (Information Technology — Security Techniques — Vulnerability Handling Processes) is a standard that has been recommended by the FDA. If you are a Project Manager, Regulatory Affairs or Quality Assurance professional, then do yourself a favor and obtain a copy of this document. Investing in this guideline for processing potential vulnerabilities, signals to regulators that you are committed to combating cybersecurity. Manufacturers could further enhance threat detection by adding detection mechanisms into the design of their product — be it hardware or online service. Even better would be to add device features that alert users when an attack has been detected.
5. RISK ASSESSMENT PROCESS
Establish a process to systematically evaluate risk. The most important thing, is to divide vulnerabilities into acceptable risks or unacceptable risks. It is advisable to assess a vulnerability’s exploitability as well as its impact to patient health if exploited. An assessment tool like the Common Vulnerability Scoring System (CVSS) is recommended to rate vulnerabilities and their respective response urgency. Similarly, the standard ANSI/AAMI/ISO 14971 (Application of Risk Management to Medical Devices) is recommended for assessing patient-health impact severity in the event that a threat were to be exploited.
FDA recommends that manufacturers make a call one way or another regarding vulnerabilities. Ostensibly, a binary determination is needed to specify whether a vulnerability is controlled or uncontrolled. As you may have guessed, this needs to be a documented process. Make sure that your protocol accounts for three things: the product, its essential clinical performance, and the situation. Consider these terms as defined by the FDA:
- Controlled Vulnerability: a threat that poses sufficiently low residual risk that the device’s essential clinical performance could be compromised by successful exploitation of the vulnerability.
- Uncontrolled Vulnerability: a threat that poses unacceptable residual risk that the device’s essential clinical performance could be compromised due to insufficient risk mitigation and compensating controls with respect to such vulnerability. Risk mitigations, including compensating controls, should be implemented when necessary to bring the residual risk to an acceptable level.
6. RESPONSE TO CONTROLLED RISKS & VULNERABILITIES
Once a firm ascertains that a vulnerability is controlled, it should adopt the following changes or compensating controls:
- Routine updates and patches intended to increase device security and/or remediate vulnerabilities and other changes to a device made solely to strengthen cybersecurity.
- For premarket approval (PMA) devices with periodic reporting requirements, manufacturers should report newly acquired information concerning cybersecurity vulnerabilities and device changes made as part of cybersecurity routine updates and patches to FDA in a periodic (annual) report.
7. RESPONSE TO UNCONTROLLED RISKS & VULNERABILITIES
Responding to vulnerabilities by set out mitigations for risk early and prior to exploitation, will serve you well in the long run. For vulnerabilities deemed to be uncontrolled, the FDA recommends the following changes:
- Manufacturers should remediate the vulnerabilities to reduce the risk of compromise to essential clinical performance to an acceptable level.
- If it is not feasible or immediately practicable to implement a complete solution to remove a cybersecurity vulnerability from a medical device, manufacturers should identify and implement risk mitigations and compensating controls, such as a work-arounds or temporary fixes, to adequately mitigate the risk.
- Manufacturers should report these vulnerabilities to the FDA under the correction and removal reporting requirements, unless reported under another FDA reporting requirement. The FDA states, however, that it does not intend to enforce reporting requirements under the correction and removal requirement if:
- There are no known serious adverse events or deaths associated with the vulnerability.
- Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users.
- The manufacturer is a participating member of an ISAO.
- Remediation of devices with annual reporting requirements (e.g., Class III devices) should be included in the annual report.
- Manufacturers should evaluate the device changes to assess the need to submit a
- Manufacturers should provide their customers, whether hospitals, physicians, or patients the relevant information on recommended fixes and residual cybersecurity risks so that they can take appropriate steps to mitigate the risk and make informed decisions.
- For premarket approval devices with periodic reporting requirements, information concerning cybersecurity vulnerabilities and the device changes and compensating controls implemented in response to this information should be reported to FDA in a periodic annual report.
All things considered, we strongly advise that medical device manufacturers be proactive when it comes to setting up procedures to mitigate cybersecurity vulnerabilities. The FDA world is driven by documented procedure and records, and this evolving space is no exception. Keys to a successful product development lifecycle include monitoring and identifying cybersecurity loopholes before ultimately addressing them. The first step is to build a solid Quality System. If done right, then it will pay dividends every month. Once a firm’s Quality System is established then management should deliberately incorporate the FDA’s 2016 guidance document on postmarket management of cybersecurity threats. As with any project, planning is paramount. Involving stakeholders from across the organization is essential. Gather requirements, delegate work deliverables, and hold design meetings regularly. If you emphasize the above criteria, then your product will be confidently adopted by hospitals and patients. Moreover, your organization will be buoyed by their positive social impact.
ANDERS KISS, Contributor
Opinions expressed by QUALITY REMEDY contributors are their own. The full article can be found on qualityremedy.com/commentary.