Schwartz emphasized that the FDA strongly advocates collaboration in combatting the growing concern of cybersecurity threats. “Our approach has been one of fostering collaboration, engaging the many diverse stakeholders within this ecosystem, recognizing that we’ll only make progress when the whole community takes ownership, harnessing all of our collective efforts to improve medical device cybersecurity,” she said.
Cybersecurity Framework for Health Care and Public Health Environment
The cybersecurity ecosystem has many moving parts and complicated technologies that continue to get more sophisticated. To help attendees better understand cybersecurity, Schwartz provided some context around how it applies to medical device manufacturing and why there is cause for alarm.
- Connected medical devices, like all other computer systems, incorporate software that is vulnerable to threats.
- The health care and public health (HPH) critical infrastructure sector has a significantly large attack surface for national security. Unfortunately, intrusions and breaches commonly occur because of weaknesses in a system’s or device’s architecture.
- Medical device vulnerabilities that are not addressed and remediated can serve as access points for entry into hospital and healthcare facility networks, which easily leads to the compromise of data confidentiality, integrity and availability.
FDA’s Recommendations for Cybersecurity
“The ability to eliminate a cybersecurity attack is not possible,” said Schwartz. “The focus of cybersecurity is to protect instead of prevent.” That said, the FDA formulated a list of recommended best practices companies can implement to strengthen their security posture, which Schwartz touched on during her session.
#1. Foster a culture of continuous quality improvement. Given the evolutionary nature of vulnerabilities in medical device technology, premarket controls alone are not sufficient to manage cybersecurity of devices throughout their lifecycle. FDA encourages implementing cybersecurity during the design phase and continuing to address security issues through the product’s lifespan.
Schwartz stressed the importance of maintaining a holistic view of cybersecurity because in the landscape of the Internet of Things (IoT), vulnerabilities evolve and new threats emerge, which demand continuous vigilance.
#2. Apply the NIST Framework for Improving Critical Infrastructure Cybersecurity. Security breaches can be devastating to a company’s financial and reputational status. To assist organizations with improving the security of their infrastructure, the National Institute of Standards and Technology (NIST), an agency within the Department of Commerce that promotes innovation for enhancing science, business, technology and economic security, produced a document called the Framework for Improving Critical Infrastructure Cybersecurity.
The framework can be used by any organization no matter what type or level of cybersecurity it currently employs. The framework is not intended to replace a company’s current cybersecurity strategy. Instead, the focus is to advise an organization on identifying its current cybersecurity posture, determining a target state for cybersecurity and developing a plan for progressing toward its target state.
#3. Deploy mitigations that address cybersecurity risk early and prior to exploitation. The FDA recommends that medical device manufacturers be proactive and consult with the agency early in the product design process. When companies present a product roadmap to the FDA prior to beginning production, it will be easier to ensure that potential risks are addressed and mitigated before any security or safety issues occur.
#4. Engage in collaborative information sharing for vulnerabilities and threats. Cyber actors carry out their attacks with speed and stealth. In order to fend off intrusions and costly security breaches, the FDA encourages organizations to establish a united front.
The FDA’s approach to fostering collaboration within the cybersecurity ecosystem is through the development of Information Sharing Analysis Organizations (ISAOs). In a nutshell, ISAOs are organizations that engage in the sharing of information related to cybersecurity risks and incidents so involved entities can collectively improve and strengthen their cybersecurity measures.
The notion of exchanging information regarding cybersecurity issues with other organizations raised flags among the attendees. There was significant concern among the group about how openly discussing vulnerabilities and security breach experiences would be detrimental to a company’s proprietary data and position in the market. Schwartz assured that issues of privacy and confidentiality are clarified in the final Guidance on Postmarket Management of Cybersecurity in Medical Devices.
Schwartz stressed the importance of recognizing that cybersecurity is a shared responsibility between stakeholders, including manufacturers of medical devices, health care facilities, providers and patients. Manufacturers can significantly reduce vulnerabilities by involving the FDA early and addressing cybersecurity during the design and development of a medical device.
Keeping Pace with Cybersecurity
Cybersecurity approaches and technologies advance fast. This means organizations need to have quick reflexes for detecting and protecting against intrusions. Keeping an entire organization informed and up to speed on current cybersecurity events and methods is best achieved when teams can communicate and exchange information quickly and often. Using electronic quality management technology, geographically dispersed teams can collaborate on documents and processes as if they were in the same room.
What opinions do you have about openly sharing cybersecurity issues? Please comment below.
David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.