FDA Favors Collaborative Approach to Medical Device Cybersecurity

Implement cybersecurity at the grassroots level of medical device development

Cybersecurity is like a maze that companies in all industries need to navigate to avoid costly security breaches. The challenge is knowing where and how to get started. An FDA official shared some valuable insight on the subject at MedTech Intelligence’s conference on Medical Device Cybersecurity.
Suzanne Schwartz, associate director for science and strategic partnerships at the Center for Devices and Radiological Health (CDRH), talked at length about the FDA’s approach to cybersecurity at the conference held in Washington, D.C., March 23-24. Schwartz referred to medical cybersecurity as an ecosystem, which encompasses every organization involved in designing, manufacturing and using medical devices.
Schwartz emphasized that the FDA strongly advocates collaboration in combatting the growing concern of cybersecurity threats. “Our approach has been one of fostering collaboration, engaging the many diverse stakeholders within this ecosystem, recognizing that we’ll only make progress when the whole community takes ownership, harnessing all of our collective efforts to improve medical device cybersecurity,” she said.

Cybersecurity Framework for Health Care and Public Health Environment

The cybersecurity ecosystem has many moving parts and complicated technologies that continue to get more sophisticated. To help attendees better understand cybersecurity, Schwartz provided some context around how it applies to medical device manufacturing and why there is cause for alarm. 
  • Connected medical devices, like all other computer systems, incorporate software that is vulnerable to threats.
  • The health care and public health (HPH) critical infrastructure sector has a significantly large attack surface for national security. Unfortunately, intrusions and breaches commonly occur because of weaknesses in a system’s or device’s architecture.
  • Medical device vulnerabilities that are not addressed and remediated can serve as access points for entry into hospital and healthcare facility networks, which easily leads to the compromise of data confidentiality, integrity and availability. 

FDA’s Recommendations for Cybersecurity

“The ability to eliminate a cybersecurity attack is not possible,” said Schwartz. “The focus of cybersecurity is to protect instead of prevent.” That said, the FDA formulated a list of recommended best practices companies can implement to strengthen their security posture, which Schwartz touched on during her session.
#1. Foster a culture of continuous quality improvement. Given the evolutionary nature of vulnerabilities in medical device technology, premarket controls alone are not sufficient to manage cybersecurity of devices throughout their lifecycle. FDA encourages implementing cybersecurity during the design phase and continuing to address security issues through the product’s lifespan.
Schwartz stressed the importance of maintaining a holistic view of cybersecurity because in the landscape of the Internet of Things (IoT), vulnerabilities evolve and new threats emerge, which demand continuous vigilance.

#2. Apply the NIST Framework for Improving Critical Infrastructure Cybersecurity. Security breaches can be devastating to a company’s financial and reputational status. To assist organizations with improving the security of their infrastructure, the National Institute of Standards and Technology (NIST), an agency within the Department of Commerce that promotes innovation for enhancing science, business, technology and economic security, produced a document called the Framework for Improving Critical Infrastructure Cybersecurity.
The framework can be used by any organization no matter what type or level of cybersecurity it currently employs. The framework is not intended to replace a company’s current cybersecurity strategy. Instead, the focus is to advise an organization on identifying its current cybersecurity posture, determining a target state for cybersecurity and developing a plan for progressing toward its target state.
#3. Deploy mitigations that address cybersecurity risk early and prior to exploitation. The FDA recommends that medical device manufacturers be proactive and consult with the agency early in the product design process. When companies present a product roadmap to the FDA prior to beginning production, it will be easier to ensure that potential risks are addressed and mitigated before any security or safety issues occur.

#4. Engage in collaborative information sharing for vulnerabilities and threats. Cyber actors carry out their attacks with speed and stealth. In order to fend off intrusions and costly security breaches, the FDA encourages organizations to establish a united front.
The FDA’s approach to fostering collaboration within the cybersecurity ecosystem is through the development of Information Sharing Analysis Organizations (ISAOs). In a nutshell, ISAOs are organizations that engage in the sharing of information related to cybersecurity risks and incidents so involved entities can collectively improve and strengthen their cybersecurity measures.
The notion of exchanging information regarding cybersecurity issues with other organizations raised flags among the attendees. There was significant concern among the group about how openly discussing vulnerabilities and security breach experiences would be detrimental to a company’s proprietary data and position in the market. Schwartz assured that issues of privacy and confidentiality are clarified in the final Guidance on Postmarket Management of Cybersecurity in Medical Devices.
Schwartz stressed the importance of recognizing that cybersecurity is a shared responsibility between stakeholders, including manufacturers of medical devices, health care facilities, providers and patients. Manufacturers can significantly reduce vulnerabilities by involving the FDA early and addressing cybersecurity during the design and development of a medical device.

Keeping Pace with Cybersecurity

Cybersecurity approaches and technologies advance fast. This means organizations need to have quick reflexes for detecting and protecting against intrusions. Keeping an entire organization informed and up to speed on current cybersecurity events and methods is best achieved when teams can communicate and exchange information quickly and often. Using electronic quality management technology, geographically dispersed teams can collaborate on documents and processes as if they were in the same room.
What opinions do you have about openly sharing cybersecurity issues? Please comment below.
David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.