Responding to a letter from Sen. Mark Warner (D-VA) that called for a collaborative effort to advance cybersecurity in health care, medical device industry group AdvaMed sought to ease concerns about the impact of cyber attacks with updates on industry and regulators’ moves in line with its five principles.
The industry trade association’s board of directors adopted the set of five medical device cybersecurity principles in 2017 to drive best practices across its member companies. From an upcoming launch of the AdvaMed MedTech Information Sharing and Analysis Organization (ISAO) to new cybersecurity consensus standards, its 22 March letter to the senator provides a range of updates on the principles.
The 21 February letter to AdvaMed CEO Scott Whittaker listed nine questions for the purposes of developing a “short- and long-term strategy for reducing cybersecurity vulnerabilities in the health care sector.” Some of the senator’s questions to Whittaker were specific to the association, while others inquired about federal laws and regulations.
“In the coming weeks I plan to seek broad input from leading public and private health care entities,” Warner said. “I am reaching out to you to start that dialogue and to gather facts and relevant information that may assist policymakers in advancing information security in the health care sector.”
AdvaMed’s letter addressed most of Warner’s questions by providing a snapshot of past and ongoing efforts aimed at addressing medical device cybersecurity concerns based on the group’s five principles.
The first three principles direct manufacturers’ risk management programs to address cybersecurity throughout the total product lifecycle, emphasize system-level security as a shared responsibility and call on manufacturers to implement coordinated vulnerability disclosure (CVD) policies. New efforts reported on these areas include recently updated
US Food and Drug Administration (FDA) guidance on premarket cybersecurity policies, the FDA-informed Medical Device and Health IT Joint Security Plan
and an October 2018 CVD report
developed by the Medical Device Innovation Consortium per FDA’s request.
FDA’s premarket cybersecurity draft guidance came under fire in new comments submitted to the agency, arguing
that the proposed two-tiered approach to determining cyber risk poses certain issues.
Principles four and five encourage participation in information sharing programs and tout the benefits of developing new voluntary consensus standards and regulations in collaboration with all relevant stakeholders in the medical device ecosystem, including academia and information security experts.
In line with the fourth principle, AdvaMed spokesperson Mark Brager told Focus
that AdvaMed MedTech ISAO is on pace to launch during the first half of 2019. AdvaMed vice president of technology and regulatory affairs Zachary Rothstein explained in the group’s letter that new organization “will permit its participants to actively and rapidly share information relating to cybersecurity threats, vulnerabilities, incidents and mitigations in a safe and secure environment” once it becomes operational.
ISAO participation is strongly encouraged in FDA’s 2017 postmarket cybersecurity final guidance
, Rothstein noted. The agency said in its final guidance document that it “considers voluntary participation in an ISAO a critical component of a medical device manufacturer’s comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices.”
Rothstein also pointed to industry’s support for and participation in the development of several cybersecurity consensus standards and AdvaMed’s involvement in the International Medical Device Regulators Forum’s (IMDRF) new cybersecurity efforts, underscoring the aim of the group’s fifth cybersecurity principle. AdvaMed’s letter cites AAMI TIR57:2016, Principles for medical device security—Risk management and the under development AAMI TIR97, Principles for medical device security—Postmarket risk management for device manufacturers, among other cybersecurity standards.
The first recognized standard—developed by UL and the American National Standards Institute—that specifically targets testing and certification for the cybersecurity of connected medical devices received
FDA recognition last year. The standard ANSI/UL 2900-2-1 is intended to be paired with ANSI/UL 2900-1.
AdvaMed is also participating in the newly established IMDRF working group on cybersecurity as a member association of the Global Medical Technology Alliance, according to Brager. A harmonized cybersecurity guide is now in the works after the IMDRF management committee granted
the new work item proposal
from the Global Diagnostic Imaging, Healthcare IT & Radiation Therapy Trade Association (DITTA). DITTA issued
a new white paper on cybersecurity best practices in the manufacturing environment last month.
Of Warner’s nine questions, those that remained unanswered by AdvaMed’s overview relate to whether the group has an inventory of all connected systems in member medical device facilities and real-time data on connected systems’ patch status, how many systems run beyond end-of-life software and operating systems, as well as recommendations for a national strategy and new Congressional efforts.