A federal information security board is weighing in on a recent medical device cybersecurity guidance document published by the US Food and Drug Administration (FDA), stating that it is troubling that no one single federal entity is responsible for the cybersecurity of medical devices-an oversight that could cause harm to patients.
The board in question is the Information Security and Privacy Board (ISPAB), a little-known entity first established by the Computer Security Act of 1987 and housed within the National Institute of Standards and Technology. The board is directed by Congress to "identify emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy," it explained in its letter to FDA.
So its attention to a recent FDA cybersecurity guidance is something of a natural fit, particularly given an April 2012 report issued by the board calling on FDA to be given the authority to assess the digital vulnerabilities of medical devices before they are allowed to market.
The chief concern of ISPAB and others: Medical devices are vulnerable to digital disruptions from hackers, malicious viruses, network problems, software compatibility issues, and other problems that could ultimately harm patients. For example, if a pacemaker is vulnerable to hacking, a malicious person could literally kill a patient by turning off the pacemaker without that patient's knowledge.
In June 2013, FDA asserted the right to more vigorously assess these risks in a draft guidance document, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, in which it explains that industry will be required to assess the threats capable of being made against their devices before being allowed to market.
Not all devices will be held to the same standards, FDA added. For example, a device that exists in a highly networked environment and that is responsible for keeping a patient alive should be subject to vigorous security controls, while a non-networked heart monitor might be subject to less rigorous ones.
Companies that are not able to show sufficient proof of the safety of their devices with respect to cybersecurity might find their devices blocked from the market, FDA concluded.
[Editor's note: For more on this guidance, please see our explanation here.]
The Need to Lead
All of this is well and good, ISPAB said in a recent letter to the Office of Management and Budget (OMB), but there's more yet to be done. While acknowledging the risks now present to "millions of software-controlled medical devices" could cause significant harm to patients, ISPAB argues that there's another complicating factor: A lack of federal leadership on the issue.
"No one agency has primary responsibility from Congress to ensure the cybersecurity of medical devices deployed across this spectrum," it wrote, noting the involvement of FDA, the Centers for Medicare and Medicaid Services (CMS), Department of Health and Human Services (HHS), Department of Defense (DOD), Department of Veterans' Affairs (VA), Department of Homeland Security (DHS), and other smaller entities as well.
"Given the complexity of the technical issues involved, the Board finds that diffusion of responsibility when it comes to cybersecurity of medical devices raises growing concern," it wrote.
Based on this "diffusion of government responsibility for cybersecurity of medical devices," ISPAB wrote that the government needs to endow in a single federal agency, "such as FDA," the authority and responsibility to oversee medical device cybersecurity in both premarket and postmarket settings.
In addition, ISPAB called on FDA to "collaborate with National Institute of Standards and Technology (NIST) scientists and engineers to research cybersecurity features that could be enabled by default on networked or wireless medical devices in federal settings." ISPAB said it was currently unacceptable that some devices required the user to download new software to "achieve an acceptable baseline of cybersecurity," and should instead be required by the government to be "active at the time of purchase"
IPSAB Letter to OMB