Posted 21 January 2016
By Michael Mezher
A key component in the US Food and Drug Administration's (FDA) postmarket guidance for medical device cybersecurity is participation in Information sharing analysis organizations (ISAOs), though questions remain about how these organizations will function and be governed.
In February 2015, President Obama, through Executive Order 13691, encouraged the development of ISAOs across various sectors for stakeholders "to share information related to cybersecurity risks and incidents and collaborate" with one another to respond to threats.
Speaking at a public workshop on medical device cybersecurity Thursday, Linda Ricci, a biomedical engineer at FDA's Office of Device Evaluation in the Center for Devices and Radiological Health (CDRH), said that much of the discussion among attendees focused on how ISAOs would be governed.
"How will these groups be put together? What will be the agreements put in place to make sure that proprietary information is protected? What are the roles and responsibilities of the group? ... Does the information in the ISAO feed into an FDA process, or vice versa?" Ricci said.
What is clear is that FDA and other federal agencies expect ISAOs to play a major role in cybersecurity. In FDA's draft guidance Postmarket Management of Cybersecurity in Medical Devices, the agency says it "considers voluntary participation in an ISAO [to be] a critical component of a medical device manufacturer's approach to management of postmarket cybersecurity threats and vulnerabilities."
The draft guidance also incentivizes participation in ISAOs by exempting device makers from reporting serious vulnerabilities if:
- "There are no known serious adverse events or deaths associated with the vulnerability,
- Within 30 days of learning of the vulnerability, the manufactuer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and
- The manufacturer is a participating member of an ISAO, such as NH-ISAC [National Health-Information Sharing and Analysis Center]."
Ricci also said there were questions about the scope of potential ISAOs. "Should there be one ISAO for all of healthcare? Or would it be easier to have ISAOs with more specialized focus." Some suggestions included product-specific or sector-specific ISAOs, such as an ISAO for pacemakers, or separate ISAOs for healthcare providers and manufacturers.
Ken Hoyme, a scientist at cybersecurity firm Adventium Labs, cautioned that device makers might be wary about sharing information about vulnerabilities versus information about attacks, as vulnerabilities may contain proprietary information.
Some of these questions may be answered soon. In May 2015, the Department of Homeland Security (DHS) commissioned the University of Texas at San Antonio, along with the Logistics Management Institute and the Retail Cyber Intelligence Sharing Center to act as an ISAO Standards Organization to "identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs." The group held its first public meeting in November 2015 and is in the process of developing standards and guidelines for ISAOs.