[BreachExchange] FDA Proposes Action to Enhance Medical Device Cybersecurity

[Audrey McNeil]

https://www.databreachtoday.com/fda-proposes-action-to-
enhance-medical-device-cybersecurity-a-10838

The Food and Drug Administration has issued plans - some of which will
require Congressional approval - for enhancing the safety of medical
devices. Those include several proposals for advancing cybersecurity,
including imposing new requirements on device manufacturers.

Some experts say the FDA's plans are a good move, given the current device
risk environment, but they warn that some proposals could prove difficult
to achieve.

The FDA is seeking "additional authorities and funding for Congress to
consider, which would build on [FDA's] work to date and further minimize
medical device cybersecurity vulnerabilities and exploits," Scott Gottlieb,
M.D., FDA commissioner, says in a statement.

"Although medical devices provide great benefits to patients, they also
present risks. With FDA's plan, we are focusing equal attention on
advancing new frameworks for identifying risks and protecting consumers,"
he says.

"In recent years FDA, manufacturers and healthcare entities have made
tremendous strides to improve the cybersecurity of medical devices.
However, all stakeholders, including FDA, must strive to keep pace with
emerging threats and vulnerabilities."

The FDA, in a statement to Information Security Media Group, notes: "For
all aspects of the Medical Device Safety Action Plan, the agency will
leverage existing authorities whenever possible and identify funding to
meet our goals. [But] with regard to the cybersecurity proposals, the FDA
plans to consider seeking new authorities [from Congress] related to
pre-market submissions and post-market authorities."

Core Proposals

The FDA's overall plan for enhancing medical device safety and innovation
focuses on five key areas. In addition to advancing medical device
cybersecurity, the other components are:

- Establish a robust medical device patient safety net;
- Explore regulatory options to streamline and modernize timely
implementation of post-market mitigations;
- Spur innovation toward safer medical devices;
- Integrate the FDA's Center for Devices and Radiological Health's
pre-market and post-market offices and activities to advance the use of a
"total product life cycle" approach to device safety.

Advancing Cybersecurity

Specific FDA proposals for advancing medical device cybersecurity include
the agency seeking authority for issuing potential new requirements on
device manufacturers.

The FDA's current pre-market and post-market cybersecurity guidance
documents generally "recommend" medical device makers take a number of
steps to address the cybersecurity of their product, including patch
management. The guidance, however is non-binding.

The agency's new proposal includes "potential new pre-market authorities"
requiring firms build the capability to update and patch device security
into a product's design and to provide appropriate data regarding this
capability to the FDA as part of the device's pre-market submission, the
agency says.

Also, the FDA is considering requiring that medical device firms develop a
"software bill of materials" that must be provided to the agency as part of
a pre-market submission and also made available to medical device customers
and users. This would help the firms better manage their networked assets
and be aware of which devices in their inventory or use may be subject to
vulnerabilities, the agency says.

"In addition, availability of a 'software bill of materials' will enable
streamlining of timely post-market mitigations," the FDA notes.

Updating Guidance

While the FDA has in recent years issued cybersecurity guidance for the
pre- and post-market of medical devices, the agency is proposing updates.

That includes the agency updating its pre-market guidance on medical device
cybersecurity "to better protect against moderate risks - such as
ransomware campaigns that could disrupt clinical operations and delay
patient care - and major risks - such as exploiting a vulnerability that
enables a remote, multi-patient, catastrophic attack," the agency's plan
notes.

An FDA spokeswoman tells ISMG that the agency "will update the pre-market
cybersecurity guidance, but we do not have a timeline to share on that."

In addition, the FDA says it's also considering new post-market authority
to require that firms adopt policies and procedures for coordinated
disclosure of vulnerabilities as they are identified.

New Cyber Safety Board

Besides those proposals, the FDA says it is exploring the development of a
CyberMed Safety Expert Analysis Board. "The CYMSAB would be a
public-private partnership that would complement existing device
vulnerability coordination and response mechanisms and serve as a resource
for device makers and FDA," the agency says.

"The CYMSAB would encompass a broad range of expertise - including
hardware, software, networking, biomedical engineering and clinical - in
order to integrate critical patient safety and clinical environment
dimensions into the assessment and validation of high-risk/high-impact
device vulnerabilities and incidents."

The group's functions would include "assessing vulnerabilities, evaluating
patient safety risks, adjudicating disputes, assessing proposed
mitigations, serving in a consultative role to organizations navigating the
coordinated disclosure process, and serving as a 'go-team' that could be
deployed in the field to investigate a suspected or confirmed device
compromise at a manufacturer's or FDA's request," FDA says.

President Trump's fiscal 2019 budget "includes a proposal to expand the
digital technology industry, which would include funding to support
creation of the CYMSAB," the FDA spokeswoman says.

Moving in Right Direction?

Some security experts say that the FDA's intensifying focus on medical
device cybersecurity issues is critically important to patient safety.

"FDA is moving carefully and deliberately in the right direction," says Ben
Ransford, co-founder and CEO at Virta Labs, a healthcare cybersecurity firm.

"As a firm that grapples with [medical] devices once they're out in the
field, we're very happy with FDA's proposals," he says. "Devices shouldn't
be mystery meat on hospital networks, and manufacturers must be willing and
able to cooperate with security researchers acting in good faith."

Bill Aerts, deputy director of the Archimedes Center for Medical Device
Security at the University of Michigan, calls the FDA's plan "another
positive step" in the effort to improve device security. "Healthcare still
has much work to do to make all of the improvements needed."

Aerts says that the proposals could have a positive impact. "Most of them
are not surprising based on what the FDA has been saying and what many of
the leading device manufacturers are working on," he says.

Ransford says the FDA proposal with the greatest impact will be a
requirement that manufacturers improve patching. "Healthcare providers tell
us they feel their hands are tied when it comes to patching most devices,"
he says.

"The jury is still out" on the software bill of materials proposal,
Ransford says. "On the one hand, it's good to know what's inside a device.
But on the other hand, knowledge is only half the battle for providers, and
manufacturers will struggle to keep those lists up to date."

As for the proposal to launch a CYMSAB, it's "a great idea provided it can
remain neutral," Ransford says. "FDA's involvement can equip this panel
with a stick for cases in which the guidance carrots don't work."

Aerts is less certain, however, about the viability of the CYMSAB proposal.

"While it is a promising idea, I think the CYMSAB could be the most
difficult challenge, as it can be difficult to assemble a group of true
experts in the field and manage and communicate the information. And
without taking proper care, the board could be received by manufacturers as
an intrusion into their product development."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180419/ea502678/attachment.html>