We appropriately put a great deal of emphasis on security-by-design and incorporating the right technologies in IoT devices and systems to protect them. But as the threat landscape evolves, devices end up being used in new ways over the course of their lives. This is especially true in the rapidly evolving use of connected, intelligent tools in healthcare, and is particularly critical to address given the life-threatening possibilities if medical equipment is compromised. In response, the U.S. Food and Drug Administration has released very thoughtful guidance on security for medical devices that are in market.
The medical device industry has a very strong safety culture which has extended into cybersecurity as software-content and connectivity have increased. One can see the result of this discipline in the FDA document which is inclusive of compensating controls – i.e., practices that may be implemented in the environment such as removing a device from the network – that can correct for a vulnerability while it is being addressed. The document also lays out many scenarios to illustrate remediation and reporting requirements. Additionally, it also refers to the NIST “Framework for Improving Critical Infrastructure Cybersecurity” guidance which was created with significant stakeholder participation.
The heart of the recommendations center on three areas that we know from other industries are critical to providing strong security throughout the lifecycle:
- Engagement with researchers – medical device security is an area of significant research activity with vulnerabilities publicized on everything from pacemakers to insulin pumps. Manufacturers need to have a process defined to report those vulnerabilities, and reports should be acknowledged and addressed.
- Information sharing on threats and vulnerabilities. Participation in an Information Sharing Analysis Organization (ISAO) such as the National Health Information Sharing & Analysis Center (NH-ISAC) is highly encouraged for collaboration amongst all the stakeholders who share responsibility for Health IT infrastructure.
- Mechanisms for providing software updates and patching with FDA guidance on compensating controls.
As a companion document to the premarket guidance the FDA provided in October 2014, this new document stressing security throughout the life of medical devices is actionable and provides a roadmap for other industries.