The US Food and Drug Administration (FDA) is looking to advance awareness of cybersecurity for medical devices by encouraging sharing and collaboration between manufacturers, healthcare providers and cybersecurity researchers.
At a workshop at FDA's White Oak campus in Silver Spring, MD, Wednesday, Stephen Ostroff, acting commissioner at FDA, said the threat of cyberattacks targeting medical devices is growing exponentially.
"We know the potential harms that can come to patients that rely on these networks and devices," he said, emphasizing that "it's even harder to maintain cybersecurity once a device is on the market."
Suzanne Schwartz, acting director of the Emergency Preparedness and Medical Countermeasures Program at the Center for Devices and Radiological Health (CDRH), stressed the importance of cybersecurity in a public health context.
"[The] healthcare and public health critical infrastructure represents the largest attack surface for national security today," Schwartz said.
In 2013, President Obama issued Executive Order 13636 and Presidential Policy Directive 21 calling on agencies to step up cybersecurity measures for critical infrastructure.
Since then, FDA has increased its focus on cybersecurity. In 2014, the agency held its first public workshop on collaborative approaches for medical device and healthcare cybersecurity and finalized its guidance on management of cybersecurity in premarket submissions.
Last week, FDA issued a draft guidance to clarify postmarket expectations for monitoring, identifying and addressing cybersecurity vulnerabilities and exploits as part of their postmarket management.
Speaking at the workshop, Schwartz emphasized that device cybersecurity needs to be a concern throughout a product's lifecycle, "from design to obsolescence."
However, Schwartz noted that many manufacturers are still not providing needed cybersecurity information in their 510(k) submissions. According to a resent assessment of 85 510(k)s submitted between October 2014 and October 2015, 59 submissions should have included cybersecurity information, but less than half did.
Failing to provide cybersecurity information in an initial submission can delay FDA's review process, as the agency must then follow up with the sponsor to get the missing information.
One way FDA believes device cybersecurity can be improved is through information sharing via Information Sharing Analysis Organizations (ISAOs). These organizations are intended to create an inclusive and secure forums for participants to "gather and analyze critical infrastructure information in order to better understand cybersecurity problems and … communicate or disclose critical infrastructure information to help prevent, detect, mitigate, or recover from the effects of cyber effects."
Another key element to improving cybersecurity is how companies handle being notified of a vulnerability. While some manufacturers have a written policy on vulnerability disclosure, and easy to find information on where to direct notices of vulnerabilities, many do not. Scott Erven, a cybersecurity expert, said that the first step companies can take to incentivize researchers to come forward with vulnerabilities is to create a policy that welcomes disclosure and assures companies that information on vulnerabilities disclosed in good faith won't be used against those reporting them.
While industry and cybersecurity researchers haven't always seen eye to eye on how vulnerabilities should be disclosed, Schwartz said that FDA sees "vulnerability disclosure … as a necessity to information sharing."