FDA Addresses Medical Device Security as Hospital Cyberattacks Increase

As hospital chief information security officers report that their networks are under constant attempts at intrusion, the Food and Drug Administration (FDA) is taking a look at how medical devices can be used as access points into the larger networks.

“Let me state very very clearly that cybersecurity is not optional for medical devices,” said Suzanne Schwartz, associate director for Science and Strategic Partnerships at the FDA, at the Medical Device Safety and Security Fall Congress on Oct. 31. “Bake security in rather than bolting it on.”

Schwartz said that hospitals provide a large attack surface and at the same time, the medical sector has seen an increase in adversarial activity, including cyberattacks at MedStar Health in Washington, D.C.; Methodist Hospital in Henderson, Ky.; and Hollywood Presbyterian Medical Center, Calif.

The FDA uses a risk based framework determined by the severity of potential patient harm and the exploitability of the device to assess the feasibility of medical devices.

When medical device manufacturers experience an uncontrolled vulnerability the FDA requires them to first, find out if the vulnerability has caused an injury or death of a patient; second, put out an initial fix for the vulnerability within 30 days and follow up with a complete fix within 60 days; and third, participate in information sharing and analyze how the vulnerability occurred. If the company follows these steps, then they would receive incentives from the FDA; however, the FDA recognizes that sometimes this timeline cannot be followed due to obstacles.

“We do applaud all the tremendous efforts and the culture shifts that have happened to date,” Schwartz said.

Schwartz said that in two to three years, she hopes that the reporting of vulnerabilities will be commonplace and won’t result in as much backlash as reporting does now.

Schwartz said that the recent WannaCry and Petya attacks have brought some of the FDA’s concerns to the surface, such as what could happen if patient care is disrupted because hospitals lose access to life-saving devices like MRI machines, and CT scanners. Although the United States didn’t experience major disruption due to the Petya attack, hospitals in Europe witnessed cybersecurity intrusions that disrupted patient care.

“This allows us to consider some of the struggles with legacy systems and patchability,” Schwartz said.

Schwartz said that in order to mitigate large scale, multi-patient attacks, the FDA is telling manufacturers to take cybersecurity measures in every aspect of their products.

“One has to think about cybersecurity, address it, and build it into the management plan throughout the entire lifecycle,” Schwartz said.

Schwartz said that the most important part of the job is to instigate information sharing about medical device cybersecurity between manufacturers, doctors, patients, lab technologists, and business people. It’s difficult to find a common language about cybersecurity that resonates with all of the groups. From 2013 to present, the FDA has been focused on the information sharing aspect of the problem.

Schwartz said that doctors have to inform patients on their decisions to use a connected medical device based on the patients’ personal needs. For example, an 80-year-old might have different considerations about cybersecurity than a 30-year-old with a high profile job that could be a target for cyberattack. Schwartz said that the 30-year-old might chose to use a device without a remote connection, even if that connection has life-saving effects. Ultimately the patients have to have the information to decide what trade-offs they need to make, which provides a need for a comprehensive language about cybersecurity.

“We’ve got to be able to work together,” Schwartz said. “We have to be thinking about potential scenarios differently than we have in the past.”

Recent