The FDA's Post-Market Cyber-Security Draft Guidance has new recommendations for manufacturers. Here is a high-level overview of what medical device manufacturers should be doing to comply.
Strategies for Landing an Oracle DBA Job as a Fresher
Cybersecurity and the FDA
1. Cybersecurity and the FDA
Overview for Medical Devices
By Frances Cohen
President Promenade Software Inc.
Board Member MedISAO
2. My Background
The highlights:
• B.S. Geophysics – UCLA. Worked in the Dept. on an Apple IIe and 1st PC.
(dinosaurs still roamed the earth but punch cards were going extinct)
• Hated oil research – loved software. Got a BS Computer Engineering from
the Technion – Israel Institute of Technology.
• Chief Architect and core team manager at Phoenix BIOS back in the PC
heyday of 286/386/486/Pentium, Windows 3.1 – XP.
• Implemented and Managed development a GE Medical Hospital
Defibrillator at Cardiac Science – first introduction to medical devices.
• Directed software development at Source Scientific LLC, a medical device
contract developer and manufacture for 9 years.
• Current- President of Promenade Software Inc. – a medical device
software service co. 3+ years.
3. Promenade Software Inc.
• A service provider of Medical Device Software
– ~15 software engineers
– Full stack of software for devices and their
associated eco-system
• Embedded and User-facing software.
• Mobile Apps and Cloud
– Handle software regulatory submission
– Cybersecurity solutions and services
4. Med ISAO
• A medical device information sharing and
analysis organization.
– Provides ongoing cybersecurity information
tailored to the medical device industry.
– Alerts members of potential threats
– Geared towards smaller manufacturers and
startups.
5. Cybersecurity and Medical Devices
Some Definitions
• Cybersecurity
– the procedure of preventing unauthorized access,
modification, misuse or denial of use, or the
unauthorized use of information that is stored,
accessed , or transferred from a medical device to
an external recipient.
• Vulnerability
– A weakness in a device’s cybersecurity
(implementation or processes) that could be
exploited.
6. Background
• From Executive Order 13636
– Cyber threats to national security are among the most serious.
• Thousands of medical devices have been shown to
be vulnerable to hacking
– Rising number of medical devices connected to the internet.
– Insufficient security practices: ex: Fixed hardcoded passwords, or
defaults not changed. Or no encryption.
– From infusion pumps to CT scans, implantable defibrillators – many
easily accessible from within the hospital, and some on the web or
within Bluetooth reach.
• Raising privacy concerns and safety concerns
7. Ex: GE’s Password Cloud
Default passwords with an advisory not to change them in the manual –
for service reasons.
8. Recent Issues
• Hospira Symbiq Infusion System – July 2015
– FDA issued advisory to stop using due to cybersecurity risk
• J&J Animas Insulin Pump – October 2016
– J&J advised to turn off wireless functions until patched
– Attacker could command pump to dispense arbitrary amount of insulin
from 25 feet away
• St. Jude Pacemaker – August 2016
– Security firm reported ability to wirelessly control implanted
pacemaker
– St. Jude stock Dropped ~10%
– Ongoing investigations on validity of claim
9. FDA Guidance - History
• No initial mention in guidance material
• Oct 2014 – FDA released the Guidance for
“Premarket Submission for Management of
Cybersecurity in Medical Devices”
• Jan 2016 – FDA release a draft guidance “Postmarket
Management of Cybersecurity in Medical Devices”
– Talk of release by the end of the year.
10. Premarket Guidance
Guidance follows standards for securing
networked systems (ex: systems having to do
with money…)
• Identify and Protect
– Limit Access to Trusted Users Only
• Require authentication of users (ex: ID and password, or biometric). No hardcoded
passwords. Use modern hashes
• Use multi-factor authentication to privileged device access (service techs., system
admins).
• Require user authentication for upgrades.
• Terminate sessions after a timeout, as appropriate.
– Ensure trusted content
• Upgraded code should be authenticated (e.g. signed)
• Ensure secure data transfer to and from device, using encryption.
11. Premarket Guidance
• Detect, Respond, Recover
– Implement features allowing for detection of
security compromises.
– Implement features that protect critical
functionality, even when cybersecurity has been
compromised.
– Provide method of recovery by an authenticated
privileged user.
12. Premarket Guidance
• Documentation
– Include a Hazard Analysis with mitigations
pertaining to cybersecurity risks.
– Show traceability to requirements.
– Describe plan for providing updates.
– Provide instructions for recommended
cybersecurity controls appropriate for the
intended use.
13. Postmarket Guidance
To address evolving cybersecurity risks, FDA identifies a number
of critical components that should be included from the device
manufacturer postmarket.
– Monitor information sources for vulnerabilities
– Assess presence and impact of a vulnerability
– Establish and communicate process for vulnerability intake and
handling
– Define essential clinical performance
• To develop mitigations to protect, respond and recover
– Adopt a Coordinated Vulnerability Disclosure policy and practice
– Deploy mitigations prior to exploitation.
14. Coordinated Disclosure
• FDA recognizes IEC 29147:2014
– deals with the interface between vendors and those who
find and report potential vulnerabilities
– Could be external – how does a 3rd party report a
vulnerability found?
• Why have one?
– FDA recommends it
– Gives advanced notice of vulnerabilities
Makes patients safer
Better publicity control
– More likely for security researchers to work with you
instead of against you
15. Private Sector Information Sharing
• Executive Order 13691
– Promotes private sector information sharing, encouraging
ISAOs (information sharing analysis organizations)
• ISAOs serve as focal points for cybersecurity information
sharing and collaboration.
• ISAOs protect privacy of individuals and preserve business
confidentiality, safeguarding information being shared.
• FDA considers participation in an ISAO a critical component of
a medical device manufacturers’ comprehensive proactive
approach to management of postmarket cybersecurity
threats.
16. Advantage of ISAO Membership
• Manufactures must report vulnerabilities to
the FDA unless all of the following are met:
– There are no known serious adverse events or
deaths associated.
– Manufacturer implements controls within 30 days
– Manufacture is a participating member of an ISAO
17. Advantage of ISAO Membership
From the guidance:
“Participants in an ISAO can request that their information be
treated as Protected Critical Infrastructure Information. Such
information is shielded from any release otherwise required by
the Freedom of Information Act or State Sunshine Laws and is
exempt from regulatory use and civil litigation if the information
satisfies the requirements of the Critical Infrastructure
Information Act of 2002”
18. Summary
• The Device Manufacturer has responsibility to
implement cybersecurity risk management
programs premarket and postmarket.
• Information sharing is a critical part of
postmarket cybersecurity programs
The FDA now views cybersecurity risks just as
seriously as defective product risks.
19. Need more Info? Contact Us
For more information please feel free to contact
Promenade Software
Frances@promenadesoftware.com
Daniel@promenadesoftware.com
www.promenadesoftware.com