MEDICAL DEVICE Cybersecurity.

Transcription

1 MEDICAL DEVICE Cybersecurity.

2 2 MEDICAL DEVICE CYBERSECURITY

3 Introduction Wireless technology and the software in medical devices have greatly increased healthcare providers abilities to efficiently and effectively monitor and treat patients. However, the use of wireless technology and the software in medical devices present risks unique to the healthcare industry. An added concern for the healthcare industry comes from the need to not only protect patient health data, but also the need to protect patients health. Cybersecurity vulnerabilities in medical devices can have life threatening consequences in the event of failure or intentional tampering. The threat is real as hackers have demonstrated the ability to compromise a diverse array of medical devices. Although there have been no reported patient injuries or deaths associated with cybersecurity incidents, cybersecurity specialists have identified a number of vulnerabilities with these devices. Due to the increased media focus on the identified issues, the U.S. Food and Drug Administration (FDA) is investigating numerous devices for cybersecurity issues. On October 2, 2014, the FDA issued a final guidance containing recommendations to medical device manufacturers on cybersecurity management. The guidance is applicable to all new premarket submissions containing software, programmable logic, and standalone software that is a medical device. This guidance represents the FDA s current thinking on the subject of cybersecurity as it relates to medical devices. Although the guidance is not enforceable by law, medical device manufacturers should seriously consider the recommendations presented as the healthcare technology landscape continues to get more and more digitally connected. PLANTE MORAN 3

4 4 MEDICAL DEVICE CYBERSECURITY

5 Guidance. What the Guidance Calls For The FDA has recommended that medical device manufacturers consider the following five cybersecurity framework core functions: identify, protect, detect, respond, and recover. This framework is based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, a voluntary framework based on existing standards, guidelines, and practices for reducing cyberrisks to critical infrastructure. IDENTIFY AND PROTECT A proper assessment of cybersecurity vulnerabilities can help identify controls that can protect against intentional or unintentional threats. Medical devices with digital connectivity capabilities are inherently more vulnerable to cybersecurity threats than devices not in scope for this guidance. The guidance recommends that the extent of security controls present for an in-scope device should depend on the following: the device s intended use the presence and intent of its electronic data interfaces its intended environment of use (e.g., home use vs. healthcare facility use) the type of cybersecurity vulnerabilities present PLANTE MORAN 5

6 the likelihood the vulnerability can be exploited (either intentionally or unintentionally) the probable risk of patient harm due to a cybersecurity breach It is also important to ensure the security controls in place do not unreasonably hinder the device s intended use. Careful consideration should be made between the safety provided by security controls and the usability aspects that may be impaired in emergency situations. The guidance provides the following broad security functions for manufacturers to consider when designing controls for their in-scope devices: Limit Access to Trusted Users Only including limiting access through user authentication, automatic timed session termination, strong password parameters, and appropriate physical security Ensure Trusted Content including restricting software or firmware updates to authenticated code and ensuring secure mediums for data transfer to and from the device DETECT, RESPOND, AND RECOVER It is important for medical device users to be able to effectively detect and respond to cybersecurity breaches and then recover. For this reason, the guidance provides the following guidelines for medical device manufacturers to consider including in their product design: Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use; Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event; Implement device features that protect critical functionality, even when the device s cybersecurity has been compromised; Provide methods for retention and recovery of device configuration by an authenticated privileged user. DOCUMENTATION The guidance also notes the following information related to cybersecurity that should be included by manufacturers during premarket submissions of their medical devices: 1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: A specific list of all cybersecurity risks that were considered in the design of your device with mitigations identified for each risk; 6 MEDICAL DEVICE CYBERSECURITY

7 A specific list and justification for all cybersecurity controls that were established for your device. 2. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered. 3. A summary describing the plan for providing validated software updates and patches as needed throughout the product lifecycle of the medical device to continue to assure its safety and effectiveness. The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity. 4. A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g., remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacture. 5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-virus software, use of firewall). PLANTE MORAN 7

8 8 MEDICAL DEVICE CYBERSECURITY

9 Stakeholders. What This Means for Stakeholders So what does this mean for my organization and the healthcare value chain? This varies based on your role with medical devices that are in scope for the guidance. The FDA recognizes that medical device security is a shared responsibility among stakeholders, including healthcare facilities, patients, providers, and manufacturers. The brunt of the action called for by the guidance falls under the responsibility of the medical device manufacturers. However, it is just as important that all the aforementioned stakeholders be aware of their role in the cybersecurity of medical devices. MEDICAL DEVICE MANUFACTURERS The responsibility of medical device manufacturers, as it relates to cybersecurity, is defined by the FDA as follows: Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance. Medical device manufactures should implement an effective framework to PLANTE MORAN 9

10 mitigate cybersecurity risks. It is important to remember that the guidance is not law and only represents the FDA s current thinking on the topic of cybersecurity. The NIST Framework is touted as a prioritized, flexible, repeatable, and cost-effective approach to manage cybersecurity-related risks and would be an excellent option to reduce the possible increase in research and development costs associated with mitigating new and evolving cybersecurity risks. Wireless implantable medical devices Deep Brain Neurostimulators Gastric Neurostimulators Foot Drop Implants Cochlear Implants Cardiac Defibrillators/ Pacemakers Insulin Pumps Medical device manufacturers should work to implement a process to effectively identify and protect against cybersecurity vulnerabilities that could be present in their devices. Furthermore, they should ensure devices are designed to allow end users to properly detect, respond, and recover from a cybersecurity breach. Security is an on-going process that evolves as new vulnerabilities are identified. Medical device manufacturers will need to deploy patches just like antivirus updates for desktops or app updates on mobile devices. HEALTHCARE FACILITIES The responsibility of healthcare facilities, as it relates to cybersecurity, is defined by the FDA as follows: Hospitals and health care facilities should evaluate their network security and protect the hospital system. Patients will hold healthcare facilities responsible for security breaches while being cared for at a healthcare facility. Therefore, healthcare facilities should ensure they have a solid understanding of the cybersecurity risks that are posed by the medical devices they are using. It is important that the institution implement an effective due diligence and risk management framework to identify the threats posed to medical devices with data connectivity. Healthcare facilities should expect to see an increase in the security functionality and complexity of newly released medical devices; this may require additional training for system administrators and/or end users. The 10 MEDICAL DEVICE CYBERSECURITY

11 additional documentation called for in the guidance may be very helpful to healthcare facilities in appropriately implementing and maintaining cybersecurity controls to support their networked medical device infrastructure. PROVIDERS Providers should employ the same due care and procedures described above for healthcare facilities. Providers should be aware of the cybersecurity aspects of the devices they use to treat or prescribe to their patients. Again, patients will hold healthcare providers responsible for security breaches with medical devices recommended by their physicians. Health care providers should ensure patients are trained on the safe use and security aspects of the devices they prescribe. PATIENTS Patients should demand a complete understanding of the functionality of the medical devices they are using. Manufacturer provided documentation should be reviewed to solidify understanding. Additional questions around the sharing of medical data from the devices should be directed to an applicable healthcare provider or device manufacturer. PLANTE MORAN 11

12 AUTHOR KYLE MILLER plantemoran.com