In my last post, I touched on the issue of cybersecurity vulnerabilities in medical devices and how the healthcare industry struggles to manage this risk. We also mentioned the June 2013 FDA Safety Memo that outlined what it perceived as the new responsibilities for manufacturers, healthcare entities and the FDA itself regarding the securing of these devices.
Recently I published an online course in collaboration with the Financial Times / ExecSense on this topic. I covered quite a bit of the problematic history of medical device security as well as some strategies on how to address this issue on the technology and business fronts. Healthcare leadership push-back on recalcitrant medical device vendors will be key in addressing this problem. Painful cultural change will also be necessary.
Review the June 2013 safety communication, the FDA broke down the responsibilities of the healthcare organization, medical device manufacturer and the FDA itself. If you are in the healthcare arena, the document is short and well worth the read (Link Above), but I’ll put up some highlights:
• Monitoring network activity for unauthorized use.
• Making certain appropriate antivirus software and firewalls are up-to-date.
• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services
• Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
• Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.
• The FDA released a draft guidance on how manufacturers should address cybersecurity in their pre-market submissions. The FDA also has guidance on how manufacturers should address cybersecurity issues related to products that use off-the-shelf software.
The most interesting sentence in the document and the most powerful is The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity . Of course the inclusion of the word “typically” provides device manufacturers with some significant wiggle room. However this statement begins to take the air out of the standard vendor re-certification argument when it comes to patching and endpoint protection.
Adding more fuel to the fire is the recent release of the Health and Human Services (HHS) Office of Inspector General (OIG) Fiscal Year 2014 Work Plan, which outlines their intent of focusing on medical device security. The work plan states that OIG “will determine whether hospitals’ security controls over networked medical devices are sufficient to effectively protect associated electronic protected health information – ePHI – and ensure beneficiary safety.” The document then clarifies that “Computerized medical devices … pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications.
With both the FDA and HHS OIG now in the act, healthcare clinical project managers and security professionals may finally get the ammunition they need to bend the ear of medical device manufacturers. At present it is primarily the healthcare organization that has to contort its requirements and security concerns to ensure they receive vendor support for their devices.
I’d like to hear some feedback from other healthcare PMs and security professionals on this topic. So please feel free to drop me a line in the comments below!