3 Recurring Questions in the Debate over Medical Device Cybersecurity
November 14, 2018
Days ago, the FDA issued long-anticipated “premarket” cybersecurity guidance for medical device stakeholders.[i] This direction is one of several steps the FDA has taken recently to provide direction to a growing medical marketplace.
One notable paragraph in the guidance - left unchanged since 2014 (also found in FDA’s postmarket cybersecurity guidance) - reads as follows:
FDA recognizes that medical device security is a shared responsibility among stakeholders, including health care facilities, patients, health care providers, and manufacturers of medical devices. Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) authenticity, availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.[ii]
While the highlighted sentence reveals what is at stake when it comes to device cybersecurity, the paragraph underscores three recurring questions that we will continue to grapple with going forward.
1. Who are the key stakeholders?
In the age of connected devices, no industry contains as sprawling a web as the healthcare industry.
Healthcare facilities/providers are largely owned by private businesses, but over half of community hospitals are non-profit, and 20 percent are government-owned.[iii]
The United States spends more health care per capita than any other nation[iv], and funds programs such as Medicare, Medicaid, the Children’s Health Insurance Program, and the Veterans Health Administration. State and local governments also fund the healthcare, as do private insurers. Everyone interacts with the healthcare industry at some point in their lives.
And so, with the ever-multiplying healthcare industry itself, and the inevitable scaling of cybersecurity vulnerabilities associated with that, robust cybersecurity efforts will have to scale at the same breakneck speed and scope.
2. What role will each stakeholder play?
Considering the diversity of stakeholders in the healthcare industry, no entity bears the exclusive mantle for cybersecurity risk management. Rather, all stakeholders must be seriously engaged in device cybersecurity and gain greater fluency and expertise.
Over the years, there have been inroads in this area, as entities with credibility across sectors – such as the Cellular Telecommunications and Internet Association (CTIA) – have launched comprehensive cybersecurity certification programs to promote private sector solutions to mitigate cyber threats.[v] Another example is the FDA’s CyberMed Safety Board, a public private partnership that complements existing device vulnerability efforts and resources.[vi] Such collaborations are promising for the future of IoT in all sectors, particularly health care.
Also, as mentioned above, the FDA published premarket and postmarket guidance regarding medical devices, corresponding with uniform efforts for more collaboration and education across the industry. A common theme running through the FDA’s guidance is not only the role of device manufacturers throughout the product lifecycle, but also the importance of healthcare delivery organizations to ensure that they have a robust, disciplined approach to security for every device – including ensuring routine updates/maintenance, consistent training for their workforces, and establishing processes to address vulnerabilities when they become known.
This is also why agreements of “shared responsibility” between medical device manufacturers and health delivery organizations are critically important – to increase transparency and information sharing to prevent and mitigate cyber breaches altogether.
3. What is the government doing to help mitigate device cybersecurity risk?
Increasingly, the FDA is working with the Department of Homeland Security and other government agencies to coordinate device security efforts.[vii] In addition, the Department of Health and Human Services’ new health cybersecurity coordination center will be a hub for better information sharing among government stakeholders.[viii]
And yet, notwithstanding the FDA’s recent flurry of activity in this space, the Department of Health and Human Services Office of Inspector General (OIG) recently identified additional ways for the FDA to improve its approach to cybersecurity for medical devices already on the market. The OIG’s report concluded that “[s]pecifically. . . FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices; and, in 2 of 19 district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats.”[ix]
While the FDA resolved some of these findings by the time the report had been published, the OIG’s review underscore some of the government’s difficulty in continually updating the industry with its views.
Another mounting problem within the government is the lack of intra-government coordination – which the OIG report attempted to address in some of its formal recommendations.
This problem is probably best summarized in a recent observation by U.S. Senator Sheldon Whitehouse from Rhode Island, at a Senate hearing regarding solutions to cyber threats:
[T]here are so many executive agencies involved in the cyber problem…I have asked the attorney general in hearings about this and he did not know the name who we should talk to. I've asked the ICs repeatedly, I have not had any response. I've asked the secretary in hearings to look into this. And I've had no response.[x]
Therefore, while the private industry is undertaking massive efforts to coordinate with a vast array of stakeholders – it appears that the wide-ranging stakeholders within government entities have faced challenges in doing the same. For example, within the federal government itself, the issues of interconnected health devices, patient privacy, patient safety, cybersecurity, fall under the umbrella of the alphabet soup of federal agencies like the FDA, DHS, FBI, FTC, and the IC. And this does not even include state agencies.
Likewise, Congress itself has had trouble determining which committee should be overseeing this area – is it the Intelligence Committee? The Judiciary Committee? The Health, Labor, and Education Committee? The Homeland Security Committee? It is still being debated.
With recent steps being taken by private industry, we hope that the government will implement cooperative, transparent protocols necessary to tighten vulnerabilities and work in unison. The stakes are simply too high not t
[i] FDA, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff (Oct. 18, 2018), https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf.
[ii] Id. at 9; FDA, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Guidance for Industry and Food and Drug Administration Staff, at 3 (Oct. 2, 2014), https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf; FDA, Postmarket Management of Cybersecurity in Medical Devices – Guidance for Industry and Food and Drug Administration Staff, at 12 (Dec. 28, 2016), https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf.
[iii] American Hospital Association, Fast Facts on U.S. Hospitals (Feb. 2018), https://www.aha.org/system/files/2018-02/2018-aha-hospital-fast-facts.pdf.
[iv] B. Sawyer, C. Cox, Kaiser Family Foundation, How does health spending in the U.S. compare to other countries? (Feb. 13, 2018), https://www.healthsystemtracker.org/chart-collection/health-spending-u-s-compare-countries/#item-start.
[v] Press Release, CTIA, Wireless Industry Announces New Cybersecurity Certification Program for Cellular-Connected IoT Devices (Aug. 21, 2018), https://www.ctia.org/news/wireless-industry-announces-internet-of-things-cybersecurity-certification-program; CTIA, Certification Resources, https://www.ctia.org/about-ctia/certification-resources.
[vi] M. Brown, National Security Institute, Cyber Imperative: Preserve and Strengthen Public-Private Partnerships, at 7 (Oct. 2018), http://nationalsecurity.gmu.edu/wp-content/uploads/2018/10/Cyber-Imperative-Final-Web.pdf
[vii] See FDA, Cybersecurity, https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm (listing the FDA’s ongoing efforts to address cybersecurity vulnerabilities).
[viii] Press Release, HHS, HHS Announces the Official Opening of the Health Sector Cybersecurity Coordination Center (Oct. 30, 2018), https://www.hhs.gov/about/news/2018/10/30/hhs-announces-official-opening-health-sector-cybersecurity-coordination-center.html.
[ix] HHS, Office of Inspector General, The Food and Drug Administration's Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices (Oct. 29, 2018), https://oig.hhs.gov/oas/reports/region18/181630530.asp; full report at, https://oig.hhs.gov/oas/reports/region18/181630530.pdf.
[x] Cyber Threats to Our Nation’s Critical Infrastructure: Hearing Before the Subcomm. on Crime and Terrorism of the S. Judiciary Comm., 115th Cong. (Aug. 21, 2018) (remarks of Sen. Sheldon Whitehouse, Ranking Member), https://www.judiciary.senate.gov/meetings/cyber-threats-to-our-nations-critical-infrastructure.