FDA Tackles Device Cybersecurity Threats

The FDA says medical devices are at risk for cybersecurity threats.

On October 1, 2018, the agency announced that it’s going to significantly update cybersecurity guidance for medical devices, noting the threat of cyberattacks “is no longer theoretical.”

“As the number of cyber attacks has increased, we’ve heard concerns about the potential for cyber criminals to attack patient medical devices,” Scott Gottlieb, M.D., the head of the FDA said in a statement. “Cybersecurity researchers, often referred to as ‘white hat hackers’ have identified device vulnerabilities in non-clinical, research-based settings.”

The agency said it is not aware of any reports that a hacker gained unauthorized access to a medical device in use by a patient, but there’s still a risk.

Cybersecurity Playbook

In addition to plans to overhaul guidance the agency finalized in 2014 on how medical device manufacturers should build safety controls to protect against data breaches and viruses, Gottlieb said that the MITRE Corporation, a federally funded research group, released a cybersecurity “playbook” for health care organizations that outlines steps organizations can take to be better prepared for a cyberattack that involves medical devices.

As an example, the MITRE playbook cites how the global ransomware event known as WannaCry demonstrated how the performance of vulnerable medical devices, “may be compromised by an exploit, whether it intentionally targets the healthcare system or is purely opportunistic. Similarly, other attacks such as Petya/NotPetya have highlighted key challenges in preparedness and response across the healthcare and public health critical infrastructure sector.”

The playbook addresses the common problem that healthcare providers and manufacturers don’t know with whom to communicate; what actions they might consider taking; and what resources were available to aid in their response.

According to MITRE, the playbook covers preparedness and response for medical device cybersecurity issues that impact the functionality of a device. “Of particular focus are threats or vulnerabilities that have the potential for largescale, multi-patient impact and raise patient safety concerns; the playbook is not intended to aid in the day-to-day patch management of devices.”

Clinical Environment Exercise

One of the exercises in the playbook is a live simulation of a clinical environment such as an emergency room.

“Participants include clinical staff who are presented with actors simulating patient conditions needing diagnosis and treatment, possibly in the context of an emergency. However, the root cause of the patient’s emergency (i.e., compromise of a medical device or cyber campaign affecting multiple systems) is unknown to the clinician ‘player’.”

“The scenario development team injects cybersecurity attacks that may manifest in a variety of ways including for example: device disabling/denial of service; manipulation of clinical data; or changing device operation. Any one of these will have a demonstrable effect on patient safety.

“The scenario may test at least two areas:

1. recognition by the clinical staff that a cybersecurity attack is unfolding and impacting the patient, and
2. response—how the staff treat the patient once they realize that device function is compromised.”

The agency says it has also developed its own internal playbook to help staff respond to cybersecurity threats and agreed to two memoranda of understanding with several stakeholder groups to create organizations that will gather, analyze and share information about cyberthreats.

Gottlieb said the FDA believes that manufacturers that participate in these organizations signal that they’re being proactive about tackling cybersecurity. “We believe this transparent sharing of information will help manufacturers address issues earlier and result in more protection for patients.”