Cybersecurity for Medical Devices

Transcription

1 Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick that has increased our concern, said William H. Maisel, chief scientist at the FDA s Center for Devices and Radiological Health. The type and breadth of incidents has increased. He said officials used to hear about problems only once or twice a year, but now we re hearing about them weekly or monthly. Washington Post, June 13,

2 Some Background: 2005 FDA Cybersecurity for Networked Medical Devices Containing OTS Software General principles applicable to software maintenance to address cybersecurity vulnerabilities Focus on safety and effectiveness of medical device Device manufacturer s ongoing responsibility End users should contact manufacturer, rather than fixing on their own Software patches not ordinarily reportable to FDA under 21 CFR Part FDA Cybersecurity for Networked Medical Devices is a Shared Responsibility: FDA Safety Reminder Manufacturers and user facilities should work together to address cybersecurity threats in a timely manner. FDA typically does not need to review or approve medical device software changes made for cybersecurity reasons. All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices White House Executive Order Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. The term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters... 2

3 2013 White House Presidential Policy Directive 21 Critical Infrastructure Security and Resilience Directs the Executive branch to: Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time Understand the cascading consequences of infrastructure failures Evaluate and mature the public-private partnership Update the National Infrastructure Protection Plan Develop comprehensive research and development plan Information Sharing: August 2014 NH-ISAC Memorandum National Health Information Sharing & Analysis Center (NH-ISAC) and FDA FDA to develop mechanism to share cybersecurity information with NH-ISAC without compromising confidentiality, trade secrets. NH-ISAC to develop mechanism to share cybersecurity information with FDA without infringing existing agreements with NH-ISAC members. Establish interface for stakeholders to share with the FDA information on medical device or healthcare cybersecurity vulnerabilities. Develop a shared understanding of the risks posed to medical devices by cybersecurity vulnerabilities. Moving Forward: October 2014 FDA Guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Applies to: 510(k)s: Traditional, Special, Abbreviated, De Novo PMA, PDP, HDE Cybersecurity: Process of preventing: unauthorized access, modification, misuse or denial of use; or unauthorized use of information that is stored, accessed or transferred from device to external recipient 3

4 Collaboration is Key: October 2014 FDA, HHS, and DHS Public Workshop Collaborative Approaches for Medical Device and Healthcare Cybersecurity Purpose was to catalyze collaboration among all HPH Sector stakeholders. Discussion focused on: Identification of barriers to promoting medical device cybersecurity; innovative strategies to address challenges that may jeopardize critical infrastructure; and proactive development of analytical tools, processes, and best practices by all stakeholders in order to strengthen medical device cybersecurity. What Can We Learn: General Principles from Guidance Identify assets, threats, and vulnerabilities early on Assess impact of threats on device functionality and end users/patients Assess likelihood of threat and vulnerability being exploited Determine risk level and suitable mitigation strategies Assess residual risk and risk acceptance criteria. Cybersecurity Functions From NIST Framework Identify and Protect Level of security controls needed will depend on many factors Carefully consider balance between security and usability Justify security functions chosen (or not chosen?) Detect, Respond, Recover Implement features so security compromises can be recognized and acted upon Provide end user with information on appropriate actions to be taken Implement features to protect critical functionality, even in compromise Provide methods for retention and recovery of device configuration by authorized user 4

5 Recommended Inclusions in Premarket Submission Hazard analysis, mitigations, and design considerations specific list of all cybersecurity risks that were considered specific list and justification for established cybersecurity controls Traceability matrix linking controls with risks that were considered Summary of plan for providing software updates throughout device lifecycle Description of controls to ensure software integrity (e.g. free from malware) from point of origin to point when it leaves manufacturer s control Device instructions related to recommended cybersecurity controls in use environment (e.g., use of firewall) Some Questions to Consider: How broadly will FDA apply this guidance, including to legacy devices? What are the current reporting requirements and how does this guidance impact those? Will following this guidance automatically mitigate risks and make a device secure? How important is collaboration, and what are the risks of sharing information? What are the liability risks in following or not following the guidance? Thank you! Suzanne O Shea Suzanne.o [email protected] Kathleen Rice [email protected]