Edit on December 27th, 2016 : The guidance on the management of Postmarket Cybersecurityhas been officially released. You can download a copy of the official guidance here
The FDA issued a draft guidance on the management of Postmarket Cybersecurity in January 2016, which is expected to become official by early 2017. This guidance provides recommendations for medical devices manufacturers, many of which are not yet widely adopted. From Coordinated Disclosure to ISAO’s, this post will attempt to summarize the guidance.
In the last few years, researchers have proven that thousands of medical devices in hospitals and labs are vulnerable to hacking. This has largely been due to the rising number of medical devices connected to the internet and, unlike sectors dealing with money (banks, investing, etc.), a lackadaisical attitude towards the cyber risk. Some medical devices were deployed with fixed passwords, or factory defaults that were never changed. From infusion pumps to CT scanners, many proved accessible by anyone within the hospital network, or sometimes, on the web.
Below is a well known “word-cloud” of default passwords to medical devices. To provide serviceability, the user manuals recommended their users not change the default password. Consequently thousands of devices were on networks, with authentication using default passwords shown below. These passwords were not secret or hidden, they are publicly available in the manuals:
Some of the more recent cyber related incidents for medical device cybersecurity include:
To date, no-one is known to have been injured due to cybersecurity vulnerabilities in medical devices. But obviously, without addressing the risk, it is a ticking timebomb.
In early 2013, President Obama recognized that Cyber threats to national security were among the most serious, and that secure and resilient infrastructure was essential. Through executive order and policy directive, the Federal Government was asked to strengthen the infrastructure against cyber threats to critical infrastructure, including the public health sector. The FDA subsequently released a premarket guidance, and more recently a draft of a Postmarket Cybersecurity Guidance for Medical Devices in early 2016.
The FDA recognizes that an effective cybersecurity program needs to incorporate proactive postmarket vigilance and the management is the responsibility of the device manufacturer. Below are the identified critical program components:
A coordinated vulnerability disclosure program provides a method by which vulnerabilities can be reported to the manufacturer and subsequently handled. It needs to provide the methodology by which anyone who finds a vulnerability can report it. For example, if a researcher discovers a vulnerability, how does he or she report it to manufacture in a way for them to take notice? A coordinated disclosure policy includes publicly available reporting instructions, and describes how that input is to be handled, and the risk controlled.
Why have a Coordinated Disclosure Program (besides that the FDA says to)?
As part of the federal acknowledgement of the cybersecurity threat, EO 13691 promotes private sector ISAOs to serve as focal points for cybersecurity information sharing and collaboration. The FDA considers participation by manufacturers as critical, and has provided several benefits to those who are members. For example, if a vulnerability is found, the manufacturer must report it to the FDA UNLESS all three of the below conditions apply:
ISAOs protect the privacy of individual members and preserve business confidentiality, safeguarding information being shared.
To get help with postmarket compliance, contact Promenade Software. Postmarket Cybersecurity services, including help with a Coordinated Disclosure Program, and ISAO membership are part of our offering. Our cybersecurity experts can help you.