Cybersecurity is the next frontier in medical device risk management
Is your risk management system ready?
MedTech innovation is increasingly resulting in interconnected devices. Cybersecurity risk management of medical devices is no longer optional.
Imagine a rogue hacker breaks into the embedded software program inside an implanted cardiac pacemaker and commands it to rapidly deplete the battery or start pacing at a deadly rate.
This is not a scene from a harrowing science fiction movie, but a very real cybersecurity vulnerability identified by the FDA in certain implantable pacemakers, which resulted in a recall of 465,000 of these devices in 2017.
Now imagine another hack into an insulin pump, which changes the device settings to increase or decrease the dosing rate, resulting in hypoglycemia (more than required dose) and hyperglycemia or diabetic ketoacidosis (less than required does). If not corrected promptly, these conditions can be life-threatening.
Again, this is not a far-fetched hypothetical scenario. Recently, the FDA issued another safety communication about certain older models of insulin pumps, found to have a cybersecurity risk of unauthorized access through the wireless radio frequency communications to and from the product. As a result, someone nearby with specialized technical skills and equipment, could access the delivery settings and change them to control insulin delivery. Unlike the newer models of insulin pumps, these older models could not be updated with a software “patch”. Although there were no reports of unauthorized access and changes made to the device settings, the manufacturer had to recall 11 of these models and issue a safety communication to patients and healthcare providers advising them to switch to newer models.
As medical devices increasingly become more interconnected with other devices, hospital networks and even smartphones, such cybersecurity risks are quite real. Managing these risks is a product life cycle issue because they are continually evolving and may arise due to circumstances not completely foreseen during their development.
Cybersecurity risk management is an evolving field with standards and best practices continuing to develop and mature. The good news is that the FDA recognizes that medical device cyber security is a shared responsibility among stakeholders including health care facilities, patients, providers and manufacturers.
Here are three things you can do to start building your organization’s competence in cybersecurity risk management:
1. Join an Information Sharing Analysis Organization (ISAO)
As a result of the 2015 Executive Order 13691 (Promoting Private Sector Cybersecurity Information Sharing), many ISAOs have been established to serve as focal points for cyber security information sharing and collaboration across different industries and government. The National Health Information Sharing & Analysis Center (NH-ISAC) is one such ISAO with an understanding with the FDA CDRH to collaborate and share information about cyber security threats and vulnerabilities relevant to medical devices and related Health IT infrastructure.
Why join an ISAO? FDA considers voluntary participation in an ISAO a critical component of a device manufacturer’s comprehensive approach to management of post-market cyber security threats. The agency is providing a tangible incentive to encourage participation in an ISAO by relaxing the reporting requirements under 21 CFR part 806 in some situations. This can lower the compliance burden and help the manufacturer to focus on mitigating the uncontrolled risk associated with specific cybersecurity vulnerabilities. More details can be found in FDA guidance Postmarket Management of Cybersecurity in Medical Devices.
The real benefit of joining an ISAO is to receive actionable information related to cybersecurity risk, threat indicator and incident information in real time. This will significantly alleviate the burden of having to collect, monitor and analyze this information as part of your internal post-market surveillance program.
2. Adapt your ISO 14971 implementation framework to address cybersecurity
The risk management framework outlined in the international standard ISO 14971 can also be effectively utilized for cybersecurity. Assessing the risk of harm from cybersecurity vulnerabilities throughout the product life-cycle is no different than risk of harm from any other hazard. Existing methods, whether qualitative or quantitative, can be enhanced to evaluate the exploitability of cybersecurity vulnerabilities and the severity of potential harm. Similarly, risk acceptability criteria can be adapted to evaluate cybersecurity risks and take appropriate mitigating actions for risk control.
It is important to note that FDA is recommending a binary determination for risk assessment of a cybersecurity vulnerability – it is either controlled or uncontrolled; there is no grey zone. If the vulnerability is not controlled, then additional controls should be implemented. A key concept is a compensating control, which is a safeguard or countermeasure deployed in the absence of a control by design. Although, controlling cybersecurity risks by design is most effective, not all vulnerabilities may be known during design and development. Therefore, compensating controls can be implemented, as and when new vulnerabilities are discovered during the post-market phase of the product life cycle. An example of a compensating network is user communication which provides instructions for safeguarding their device from unauthorized access and changes.
One of the most important guiding principle of cybersecurity risk management is a coordinated vulnerability disclosure policy and practice. A good resource is the FDA recognized ISO/IEC 29147:2014 standard, Information Technology – Security Techniques – Vulnerability Disclosures.
3. Accelerate cycles of learning, develop tools and build new capabilities
Cybersecurity risk management requires a mindset of hyper-vigilance, and a robust, agile postmarket surveillance system. In this regard, your post-market surveillance can no longer be a system of passive monitoring system and analysis. Rather, it needs to be capable of detecting signals and identifying vulnerabilities before they are exploited to cause an adverse event. It should also lead to a robust discussion about managing product life cycle and creating a plan for product obsolescence consistent with the pace of technology maturity. Case in point is the recall of older models of insulin pumps described in the beginning of this article, which could not be updated to address the cybersecurity vulnerability of unauthorized access.
One useful tool to assess cybersecurity vulnerabilities is the Common Vulnerability Scoring System (CVSS), which provides numerical ratings corresponding to high, medium and low levels of risk based on a number of well-defined factors. Interestingly, the insulin pump cybersecurity vulnerability was rated high with a base score of 8.8. Developing in-house capability of using such tools may help strengthen cybersecurity risk assessment.
In conclusion
Cybersecurity risk management needs to become a systematic process within your current risk management program, which hopefully meets the requirements of ISO 14971.
A product life cycle approach is highly desired, which links a robust post-market surveillance system with your design and development process. Joining an Information Sharing and Analysis Organization (ISAO) is a timely commitment you can make right now to get started on your cybersecurity risk management journey!
Good stuff - have you seen Cyber Med Summit (I'm not affiliated, just saw it called out by a group called I Am the Cavalry that focuses on cybersecurity for critical infrastructure)? https://www.cybermedsummit.org/