The FDA prioritizes medical device security with a plan for revamped cybersecurity guidance
Even if you don’t live in the US, you probably have heard about the Food and Drug Administration (FDA), the US federal agency responsible for regulating what we eat and what medicines we use. The FDA has been in the news during the pandemic, issuing emergency approval orders as Covid-related vaccines have come off their research trials and begun distribution to the public.
One lesser-known aspect of the FDA is their role in regulating medical devices such as insulin pumps and pacemakers. Several years ago, they issued their device safety plan. As they stated in the plan, “these devices can be vulnerable to security breaches and exploited,” in a way that could compromise patient safety. “Cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful,” as they stated in a 2018 draft document filled with cybersecurity guidance for new device makers. Indeed, this very issue was a plot point back in 2012 in the TV series Homeland, in which the vice president's character was killed by terrorists who hacked his pacemaker. While this scenario is unlikely, there is clearly a need for better cybersecurity standards with medical devices.
The documents from 2018 are now going through some major updates. Last September, the FDA published a roadmap for what they call the pre-certification program. This is a new FDA program that will be used to prove out the safety and effectiveness of medical devices, done in cooperation with industry stakeholders to streamline the regulatory process. The agency also posts a series of cybersecurity alerts, similar to other government agencies, about potential device vulnerabilities.
The agency has appointed Kevin Fu its first Acting Director of Medical Device Cybersecurity in the Center for Devices and Radiological Health. This center has several bodies, including the CyberMed Safety Board, the Digital Health Center of Excellence and other offices. Fu is an interesting choice: he's most recently an associate professor of computer Science at the University of Michigan, and has previously held major management roles in the private sector. Fu was credited for establishing the field of medical device security beginning with a 2008 IEEE paper on defibrillator security and founding the non-profit research collaborative Archimedes Center for Medical Device Security. What's more, he has also testified before Congress back in 2016, enumerating these failures of medical IoT devices.
I interviewed him via email after the announcement of his one-year appointment at the FDA. One of his first priorities is to publish new cybersecurity guidance using secure software development lifecycle methods that emphasize trustworthiness, transparency, and resilience.
When asked where the likely source of threats to medical devices in the home would originate, he replied, “...the lack of a meaningful threat model, since the home can be a shared environment that may pose [all kinds of] cybersecurity threats.” In his classes at Michigan, he taught how secure systems have to depend on untrustworthy components and networks. “For instance, when a firewall fails, it tends to fail catastrophically. On the other hand, a trustworthy computer system will fail gracefully even if an underlying firewall fails or if a neighboring IoT device on the network is compromised.” This means “designing for the smallest possible trusted computing base as possible.” That will be a challenge, especially as the number of home IoT devices continues to mushroom.
I asked Fu if it will be harder working at the FDA compared to teaching computer science to undergraduate students. “The two missions are intertwined. Cybersecurity is not optional and is not merely a checklist. One challenge is that security engineering courses largely remain optional in computer science departments and there is great variation across universities that offer security courses,” he said. Having been an advisor to a local university’s cybersecurity degree program, I can attest to the truth of this statement.
FDA produced last October this Draft Framework for Communicating Medical Device Cybersecurity Risks to Patients. It included such recommendations as to keep explanations clear, concise, timely, and relevant for a diverse audience that speaks a variety of languages and cultures. The framework included a sample document that could be used as a template to warn of potential cyber risks of a fictional insulin pump. Another part of Fu’s responsibilities is to review the public comments received from this draft and to continue the dialogue with patient representatives. “We have found that these collaborative forums which bring together stakeholders from across the entire device ecosystem are extremely productive and elucidate critical insights for our consideration, since patients are at the heart of everything we do.”
Measuring relative device risks is certainly a huge undertaking. I asked about this with John Halamka, who now works at the Mayo Clinic and was a former hospital CIO who has been a friend and colleague of Fu for many years. Halamka told me that assembling this framework means figuring out what “good enough” means, how it will be measured, and figuring out how to create the appropriate test labs to evaluate products against these metrics.
Certainly, the past year of the pandemic has made the FDA’s cybersecurity initiatives difficult, but hopefully with Fu’s appointment, we will start to see some movement and progress on these programs, along with a recognition of the importance of medical device cybersecurity requirements.
Parliamentary legislators in Australia are reviewing the Online Safety Bill 2021, which takes a tougher stance against cyber abuse and allows the eSafety Commissioner to order the takedown of any abusive material.
The Cybersecurity Tech Accord and Economist Intelligence Unit report measures the beliefs of IT security leaders and experts regarding threats posed by state-led and sponsored threat actors.