[BreachExchange] Managing Medical Device Cybersecurity in the Postmarket: At the Crossroads of Cyber-safety and Advancing Technology

Inga Goddijn inga at riskbasedsecurity.com
Wed Dec 28 17:51:36 EST 2016 

http://blogs.fda.gov/fdavoice/index.php/2016/12/managing-medical-device-cybersecurity-in-the-postmarket-at-the-crossroads-of-cyber-safety-and-advancing-technology/

Protecting medical devices from ever-shifting cybersecurity threats
requires an all-out, lifecycle approach that begins with early product
development and extends throughout the product’s lifespan.

Today, we’re pleased to announce that industry now has advice from FDA
across this product continuum with the release of a final guidance
<http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf>
on the postmarket management of medical device cybersecurity. It joins an
earlier final guidance on medical device premarket cybersecurity issued in
October 2014.

To understand why such guidance is so important for patients, caregivers
and the medical device community, we need to take a step back and look at
how cybersecurity fits into the medical device ecosystem.

In today’s world of medical devices that are connected to a hospital’s
network or even a patient’s own Internet service at home, we see
significant technological advances in patient care and, at the same time,
an increase in the risk of cybersecurity breaches that could affect a
device’s performance and functionality.

The best way to combat these threats is for manufacturers to consider
cybersecurity throughout the total product lifecycle of a device. In other
words, manufacturers should build in cybersecurity controls when they
design and develop the device to assure proper device performance in the
face of cyber threats, and then they should continuously monitor and
address cybersecurity concerns once the device is on the market and being
used by patients.

Today’s postmarket guidance recognizes today’s reality – cybersecurity
threats are real, ever-present,  and continuously changing. In fact,
hospital networks experience constant attempts of intrusion and attack,
which can pose a threat to patient safety. And as hackers become more
sophisticated, these cybersecurity risks will evolve.

With this guidance, we now have an outline of steps the FDA recommends
manufacturers take to remain vigilant and continually address the
cybersecurity risks of marketed medical devices. Central to these
recommendations is FDA’s belief that medical device manufacturers should
implement a structured and comprehensive program to manage cybersecurity
risks. This means manufacturers  should, among other things:

   - Have a way to monitor and detect cybersecurity vulnerabilities in
   their devices
   - Understand, assess and detect the level of risk a vulnerability poses
   to patient safety
   - Establish a process for working with cybersecurity researchers and
   other stakeholders to receive information about potential vulnerabilities
   (known as a “coordinated vulnerability disclosure policy”)
   - Deploy mitigations (e.g., software patches) to address cybersecurity
   issues early, before they can be exploited and cause harm

This approach enables manufacturers to focus on continuous quality
improvement, which is essential to ensuring the safety and effectiveness of
medical devices at all stages in the device’s lifecycle.

In addition, it is paramount for manufacturers and stakeholders across the
entire ecosystem to consider applying the National Institute of Standards
and Technology’s (NIST) core principles for improving critical
infrastructure cybersecurity
<https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf>:
to identify, protect, detect, respond and recover. It is only through
application of these guiding principles, executed alongside best practices
such as coordinated vulnerability disclosure, that will allow us all to
navigate this uncharted territory of evolving risks to device security.

This is clearly not the end of what FDA will do to address cybersecurity.
We will continue to work with all medical device cybersecurity stakeholders
to monitor, identify and address threats, and intend to adjust our guidance
or issue new guidance, as needed.

Digital connections power great innovation—and medical device cybersecurity
must keep pace with that innovation. The same innovations and features that
improve health care can increase cybersecurity risks. This is why we need
all stakeholders in the medical device ecosystem to collaborate to
simultaneously address innovation and cybersecurity. We’ve made great
strides but we know that cybersecurity threats are capable of evolving at
the same pace as innovation, and therefore, more work must be done.

*Learn More*

For more information about medical device cybersecurity, visit the FDA’s Center
for Devices and Radiological Health
<http://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm> web page.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161228/96fa5b2f/attachment.html>

More information about the BreachExchange mailing list