SlideShare a Scribd company logo

The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity

Valdez Ladd MBA, CISSP, CISA,, profile picture
Valdez Ladd MBA, CISSP, CISA,

The document discusses two recent FDA guidance documents regarding cybersecurity for medical devices. The June 2013 guidance addresses cybersecurity controls that should be incorporated into medical devices connected via networks. The August 2013 guidance encourages risk assessments of wireless technology in medical device design. The document provides an overview of the guidance and considerations for medical device manufacturers and healthcare facilities for incident response and reporting of cybersecurity issues related to networked medical devices.

TechnologyBusiness
Related topics:
Wireless Networks OverviewMedical Devices Overview Risk-Management
1 of 10
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity Published originally for ISSA Journal, September 2013 issue (www.ISSA.org) Authors: Pam Gilmore, BS Business Administration, ISSA Raleigh, NC member. Valdez Ladd, CISSP, CISA, COBIT 4.1, CIW-SP, CNSS NSTISSI 4011 ISSP, MBA. MAIA, Member ISO Technical Committee 215 Health Informatics Working Group 4 - Privacy & Security Abstract: In June 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance: “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. This was followed on August by the FDA's “Radio Frequency Wireless Technology in Medical Devices Guidance for Industry and Food and Drug Administration Staff”. This article is intended for the customer facing risk managers, sales staff, and IT staff of a medical device manufacturer and their medical doctors and IT hospital and clinical counterparts. It is intended to give an overview and highlight process considerations for incident management and reporting of cybersecurity issues. Disclaimers: This article is an IT security awareness document only. It is not to be considered an official FDA document guide or consulting tool. Please seek legal counsel and consult your own corporate IT security along with any additional external professional expertise as deemed necessary for your business. Also note that the views expressed here in this article are those of the authors soley and do not necessarily reflect the positions of any current or former employers or organizations.
In June 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance on titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. Its goal is to begin the process of bringing network connected or accessible medical device's cybersecurity under their jurisdiction. This draft will be accessible for public comment until mid-September 2013. Final rules are expected to be published in early 2014. Healthcare is a high security environment. One which is constantly under constant attack. It is always combating the risk of exposure of protected patient health information (PHI). This requires using technical, administrative, and physical security controls for network connected medical devices. Though mobile smartphone and table applications are not covered currently, it is a good assumption that a security requirement is coming modelled on the current network device connected draft that this research paper covers. Therefore it is important that information technology (IT) security professionals not view this FDA draft through the prism of the customary CIA (confidentiality, integrity & availability) triad. It is too limited for use within the medical sector. A better heuristic is the more complete PAINS, (privacy, availability, authentication, integrity, non-repudiation and safety) to account for the stringent demands of medical devices and applications for patient requirements. (Sloan) 1. Sloane , Elliot B. (PAINS) “Medical Device Security HITECH-AARA and FDA related Security Issues”-NIST/OCR HIPPA Conference, (11, 12 May 2010) – http://csrc.nist.gov/news.../HIPAA.../1-4-health-devices-sloane-drexel.pdf Though it surprised some people outside the medical field, it can be seen as regulations trying to catch up to the explosion of Internet and network devices. This ranges from implanted devices such as insulin pumps, patient medical imaging storage, and wireless medical BYOD devices to X-Ray, MRI, ultrasound units, and other diagnostic equipment. Though this is a US regulation, it is sure to influence many other nations across the world as they consider their medical device review, acceptance, and procurement processes and laws to address cybersecurity risks to patients and their privacy. see figure 1. 2. ElBoghdady, Dina. Health apps under the microscope. 2012. Photograph. chicagotribune.com, Chicago. Web. 7 17 2013. <http://articles.chicagotribune.com/2012-06-26/business/ct-biz-0626-health-apps-20120626_1_smartphone-application- mobile-apps-android>. Illustration 1: (El Boghdady)
While the FDA document did not reference outside technical reference there are several useful expert authoritative documents to consider. First the NIST SP 800-124 Revision 1 covers securing both organization-provided and personally-owned (bring your own device) mobile devices. Also the NIST Special Publication 800-53 (Rev. 4) and 800-53A (Rev. 1) Security Controls and Assessment Procedures for Federal Information Systems and Organizations should be added to the list. Finally be familiar with ISO/DTR 17522 Health informatics --Provisions for Health Applications on Mobile/Smart Devices 2013-01-29 30.20 and ISO/AWI TR 80001-Application of risk management for IT-networks incorporating medical devices. Existing Quality documentation processes for existing regulated device error reporting will have to include cybersecurity knowledge or subject matter expertise. This will allow for capturing relevant data in the case of a fast moving major security incident. This information should be made available to the medical device manufacturer's technical support per modality (ultrasound, X-Ray, blood serum diagnostic, etc.,) and quality control staff. Each may have training for serious incident hazard reporting, but will need to incorporate cybersecurity. This process will require expert training and review so their reporting processes can be efficient and compliant. The degree of harm caused by a major virus infection, rootkit or other malware can be extensive and possibly fatal. Time will be essential as mobile medical devices increase grows and connection via wireless networks grows. The same will be true for stationary and mobile imaging devices. Professional expertise will be needed for the preliminary incident. Basic data gathering only can be handled over the telephone with the customer. Beyond the basic five questions of who, what, when, where, and how (if possible) will require more training and on-site investigation by the manufacturer’s experts for the malware affected medical device. Semi-automated forensic hardware-and-software tool and processes have to be made available for deployment by device manufacturers in the USA and other countries that adopt similar levels of assurance and investigation. The manufacturer's customer facing IT and modality engineer staff will face growing to incorporate first responder capabilities within this area. Wireless Radio Frequency (RF) Devices The FDA's “Radio Frequency Wireless Technology in Medical Devices Guidance for Industry and Food and Drug Administration Staff” pressures manufacturers to consider the use of wireless technology in their medical devices. Also it encourages a risk based assessment of RF wireless technology in the device's design. The report states “The correct, timely, and secure transmission of medical data and information is important for the safe and effective use of both wired and wireless medical devices and device systems”. see figure 2. FDA (2013, August 13). Radio Frequency Wireless Technology in Medical Devices. http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/4GuidanceDocuments/ucm077210.htm
The newest and fast growing area in medicine is bring-your-own-device (BYOD). The range of services and medical references that doctors and clinical staff have at their disposal is a powerful incentive to use the smartphone, tablet or other mobile device they have learned and mastered. However as one security expert stated,” Wireless implantable devices and other patient monitoring equipment "could be a back door into your network," noted Peter Swire, an Ohio State University law professor and former presidential adviser on privacy issue”. (Desta) 3. Desta, A.,"Content of Premarket Submissions for Management of Cybersecurity in Medical Devices-Draft guidance or Industry and Food and Drug Administration Staff.US-FDA (2013, 06) - http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments 4. csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pd 5. csrc.nist.gov/publications/nistpubs/800-53A.../sp800-53A-rev1-final.pdf 6. csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf 7. www.iso.org/iso/catalogue_detail.htm?csnumber=59949 FDA Cybersecurity Draft details: On June 13, 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance on titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Draft Guidance for Industry and Food and Drug Administration Staff”. It proposes cybersecurity controls should be incorporated into vulnerable medical devices that are connected via wireless, Internet and wired networks. The documentation for this mainly contained in the Premarket Notification (510(k) and approval process for new medical devices. Illustration 2: (Gollakota)
In addition to the draft guidance, the FDA published a FDA Safety Communication. It was addressed to medical device manufacturers and their engineers. It was intended for our nation’s hospitals, clinics, and other health care facilities including their health care information technology (IT), and procurements staff. This was due to increased publications of cybersecurity issues. prominent publication was when the US Government Accountability Office (GAO) issued a report titled, “Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices” on August 31, 2013. (GAO) Later in January 2013 cybersecurity Cylance researchers Billy Rios and Terry McCorkle discovered default embedded passwords for a Phillips, Inc. medical systems. They contacted the company to communicate the vulnerabilities. However when no response came they contacted the US Dept. of Homeland Security. (DHS), the Federal Drug Administration (FDA) and the US Industrial Control Systems Cyber Emergency Response Team (ICS CERT) to persuade Phillips, Inc. to correct the security flaws quickly. In addition Cyberlance's Mr. Rios and Mr. McCorkle examined and discovered vulnerabilities and weak access controls in almost 300 medical devices. An alert published on the US government's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) website, cited research from Billy Rios and Terry McCorkle of the cyber security firm Cylance Inc., who said they have identified more than 300 pieces of medical equipment that are vulnerable to cyber-attacks to their firmware, embedded passwords and weak authentication. They include surgical and anaesthesia devices, ventilators, drug infusion pumps, patient monitors and external defibrillators. 8. ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01, The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). (13 June, 2013). Retrieved from http://www.gao.gov/products/GAO-12-816 Note the public draft has non-binding recommendations open for the public until mid-September after ninety (90) days have passed since its June 13th publication. Final rules would follow and go into effect next year in 2014. The draft itself states that in principle the cybersecurity requirements should be as least burdensome as practical, while still meeting requirements. Patches to medical devices for updating cybersecurity would not require FDA approval unless patient safety is affected. This include Anti-Virus updates. “Manufacturers should develop a set of security controls to assure medical device cybersecurity to maintain the information’s [data] confidentiality, integrity, and availability. This goal of avoiding compromised device functionality implicitly includes data at in-motion on the network and at-rest on the medical devices.” 9. GAO. MEDICAL DEVICES, FDA Should Expand Its Consideration of Information Security for Certain Types of Devices (31 August, 2012). Retrieved from http://www.gao.gov/products/GAO-12-816 10. Marianne Kolbasuk McGee, “Medical Device Security: A New Focus, Former Presidential Privacy Adviser Addresses Mobile Security (15 April, 2012) - http://www.healthcareinfosecurity.com/interviews/medical-device-security-new-focus-i-1882 11. Abiy Desta, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Draft Guidance for Industry and Food and Drug Administration Staff" (14 June 2013) - http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf 12. Op. Cit GAO 13. Darren Pauli, "Patient Data Revealed in Medical Device Hack", (17 Jan 2013) - http://www.scmagazine.com.au/News/329222,patient-data-revealed-in-medical-device-hack.aspx 14. Ransdell Pierson, Jim Finkle.,"FDA urges protection of Medical Devices from Cyber Threats" (13 June 2013) - http://www.reuters.com/article/2013/06/14/us-devices-cybersecurity-fda-idUSBRE95C1IB20130614
Prior FDA Cybersecurity guidance: Since medical devices that were not originally designed with networking capabilities were isolated from the growing number of hospitals with local area networks (LAN) running TCP/IP their usefullnes was seen as diminished. Hospitals wanted more capabilities without buying totally new expensive medical devices. Manufacturers responded by connecting their medical devices with computer workstations running TCP/IP. This was important as the use of digital imaging of patient radiological (X-Ray & CT) and ultrasound images became more prominent. The FDA responded with it draft report the "Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software,” issued on January 14, 2005. It noted that manufacturers would generally not be reportable as a correction or removal under 21 C.F.R. part 806, “because most software patches are installed to reduce the risk of developing a problem associated with a cybersecurity vulnerability and not to address a risk to health posed by the device". The FDA was setting boundaries on liability for software patches to enhance safety without penalty to medical device manufacturers. It was an important and needed step for medical device cybersecurity. Risk Analysis: Below is a list of the risk analysis that the FDA's cybersecurity was invoking using many of the concepts found in the NIST special publications for cybersecurity. Note the documentation requirements are generic to many risk analysis at the design stage. Building security into a product at the design stage is always considered cheaper, more reliable and manageable. Bolting on security solutions or compensating controls after a product launch is more expensive and difficult to defend against highly skilled hackers. Under FDA 21 CFR 820.30(g) the risk analysis includes three requirements. First Identification of assets, threats, and vulnerabilities and the impact assessment of their exploit probability. Next the determination of risk levels and suitable compensating controls. Finally the residual risk assessment and risk acceptance criteria for the medical device must be included to complete the risk analysis. - Intentionally left blank -
Security Capabilities Access Controls • Remove “hardcoded” passwords (those that can not be changed) • Limit Access to Trusted Users who are authenticated with multi-factor authentication • Employ role based access control with time limited user sessions • Physical locks on devices must be used and on their communication ports when possible 15. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments /UCM356190.pdf Incident Response Ensuring Trusted Content is another requirement. Trusted software or firmware updates with strong authentication is the foundation for this functionality. This leads to software whitelisting, blacklisting (anti-virus), and secure software code signing becoming part of the security design. This will also require secure data transfers to and from the medical device using encryption and with authentication, authorization and accounting (AAA). While people and processes are listed as parts within the scope of the solution. The creation of a customer notification system that is standarized, procedurized and accessible to the hospital IT staff so that authorized users can download the correct dentifiable software and firmware updates from the manufacturer in cases of incident responses. Note that the range of security for existing devices and their current design will limit their security capabilities. For example implantable medical devices use simple PIN codes similar to a bank ATM. Smartphone and tablets have more computing power and can support encryption with authentication, authorization and accounting (AAA). Use Fail-Safe and Recovery Features The FDA specifice the mplementation of fail-safe device features that protect the device’s critical functionality, even when the device’s security has been compromised. These features allow for security breaches to be recognized, logged, and acted upon. Also it provide methods for forensic retention and recovery of device configuration by an authenticated system administrator. This allows the medical technician, or clinical staff to ramp down a treatment or examination for patient safety when notified of a security breach.
Logging Today major diagnostic and radiological examination devices are often remotely monitored by medical device manufacturers for maintenance purposes. Mobile medical devices will need added capacity for logging more diagnostic data. While medical implants such as pacemakers and insulin pumps have very limited logging capabilites. Therefore forensic investigation using device logging will vary depending on the medical devices. 16. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments /UCM356190.pdf Forensics Forensics data and evidence now must be captured within the medical device manufacturer's Hazard Report which will be produced when any medical device incident occurs. This is an existing standard report. So, the forensics will only need to be appended to the medical manufacturer's FDA complaint handling processes. This will drive demand for greater numbers of medical device forensic specialist by manufacturer's. HIPAA Privacy rules many be in conflict with the forensic rules unless addition compensating privacy controls are put into place. Cybersecurity Design Documentation The 501(K) premarket submission by the medical device manufacturers should provide attestment with supporting documentaton of the cybersecurity design of their medical device. Rather than going over each requirements which is highly redundant; we will highlight the most critical areas not covered earlier. This will better serve the reader. 1. Hazard analysis, mitigations, and design This documentation considers both intentional and unintentional cybersecurity risks associated with the medical device under review. This is an important liability issue as the definition for unintentional risks will need clarification in the future. Does the principal of unintended consequences (R. Merton) come into scope? Every Security design is a trade off between usability and security. How will the FDA judge this as unintend risks are not the ones intended by the medical device's purposeful design elements? 17. Merton, Robert K."The Unanticipated Consequences of Purposive Social Action". American Sociological Review 1 (6): 895. August 21, 2013. http://www.d.umn.edu/cla/faculty/jhamlin/4111/2111-home/CD/TheoryClass/Readings/MertonSocialAction.pdf
2. Security Requirements Traceability Matrix The key document for the Hazard analysis, mitigations, and design process will be the Traceability Matrix (Security Requirements Traceability Matrix ) document. It will link the actual intentional and unintentional cybersecurity controls to the cybersecurity risks that were considered at the time of design. The security requirements traceability matrix (STRM) should identify all IT security requirements for the medical device's design per the FDA. In addition it will map the the requirements to the existing IT security policy framework of the medical device manufacturer. Lastly it should serve as an IT policy assessment checklist for internal and external auditors. 18. The Institute of Internal Auditors (2008). 12 Steps to IT Security Compliance. Gap News,3(1). Retrieved from http://www.theiia.org/gap/index.cfm?act=GAP.printa&aid=2464 Anti virus (AV) The FDA has called for an end to the tug-of-war between hospitals and medical device manufacturers over anti virus software. Higher pricing for customized anti virus software from manufacturers was justified by FDA safety mandates per manufactures to avoid damage to the device's operation while patients are being treated. However many hospitals and clinics have had their own anti virus contracts under theirr own central administration. Now the FDA is mandating that detailed instructions for the end-user operations and product specifications related to recommended anti-virus (AV) software and any device firewall settings. This includes both the manufacturer's recommended use of anti-virus software safely. It also includes how the hospital should use and operate their own anti-virus software safely equally. Again the issue of liability in case of an AV infection by a hospital using the manufacturer's instructions for third party AV software will have to be resolved by the FDA or a court of law later. Summary: The FDA's guidance raises the standard for cybersecurity and risk management for the medical devices. Newer devices sold starting in 2014 and afterward when the final cybersecurity guidance takes effect will over time phase out older less secure networked medical devices. The FDA's goal of managing the medical device's cybersecurity product life-cycle from design to operation to disposal is timely and needed. Overtime this standard may become de facto for purchasers world wide of networked medical devices. PAINS, (privacy, availability, authentication, integrity, non-repudiation and safety) will become key components of the medical devices security risk analysis. It will serve to reinforce the scope of patient and device risks. It can be expected that the FDA cybersecurity guidance will strengthen the HIPAA Privacy Rule and Security Rule in the areas of risk analysis and mitigation also. Though a work in progress it presents another avenue of reducing the attack surface of the medical operations for hospitals and clinics. Therefore the increased cybersecurity of medical devices that the FDA is working on in its draft guidance is a positive for reducing risk to patients and their privacy. Hospitals and medical device manufacutrers will have to establish new processes and procedure to communicate and work together to create a successful transformation. This convergence of security, risk management and secure product design may be seen as a future model of cybersecurity for other regulated industries.
19.”FDA Safety Communication: Cybersecurity for Medical Devices and hospital Networks”, (6 June 2013) - http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm 20. Sloane, Elliot B. (PAINS) “Medical Device Security HITECH-AARA and FDA related Security Issues”-NIST/OCR HIPPA Conference, (11, 12 May 2010) – http://csrc.nist.gov/news.../HIPAA.../1-4-health-devices-sloane-drexel.pdf

More Related Content

PDF
Understanding Cybersecurity in Medical Devices and Applications
EMMAIntl
 
PDF
Medical device security presentation - Frank Siepmann
Frank Siepmann
 
PDF
Medical technologies and data protection issues - food for thought
Renato Monteiro
 
PDF
Patient Centric Cyber Monitoring with DocBox and Evolver
The Security of Things Forum
 
PPT
Technologies and procedures for HIPAA compliance
Jack Shaffer
 
PPTX
Network Connected Medical Devices - A Case Study
SophiaPalmira
 
PDF
How to Secure Your Medical Devices
SecurityMetrics
 
PDF
security and privacy for medical implantable devices
Ajay Ohri
 
Understanding Cybersecurity in Medical Devices and Applications
EMMAIntl
 
Medical device security presentation - Frank Siepmann
Frank Siepmann
 
Medical technologies and data protection issues - food for thought
Renato Monteiro
 
Patient Centric Cyber Monitoring with DocBox and Evolver
The Security of Things Forum
 
Technologies and procedures for HIPAA compliance
Jack Shaffer
 
Network Connected Medical Devices - A Case Study
SophiaPalmira
 
How to Secure Your Medical Devices
SecurityMetrics
 
security and privacy for medical implantable devices
Ajay Ohri
 

What's hot (19)

PDF
IRJET- Hiding Sensitive Medical Data using Encryption
IRJET Journal
 
PPTX
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
Alessandro Sappia
 
PPTX
[Wroclaw #6] Medical device security
OWASP
 
PDF
Challenges and-opportunities-in-software-driven-medical-sciences
PEPGRA Healthcare
 
PDF
IRJET- Mobile Assisted Remote Healthcare Service
IRJET Journal
 
PDF
Post Market Surveillance: If a Device is FDA Cleared or Approved, or EU CE Ma...
Greenlight Guru
 
PDF
Ijcet 06 06_004
IAEME Publication
 
PDF
Healthcare Data Breaches: Biometric Technology to the Rescue
IRJET Journal
 
PDF
IRJET- Android base Healthcare Monitoring and Management System using IoT
IRJET Journal
 
PDF
The post-COVID Value Shift & How MedTech Companies can Capitalize
Greenlight Guru
 
PDF
SECURED FRAMEWORK FOR PERVASIVE HEALTHCARE MONITORING SYSTEMS
ijscai
 
DOCX
Classifying Medical Devices
EMMAIntl
 
PPT
RiskWatch for HIPAA Compliance™
CPaschal
 
PDF
G03406041045
theijes
 
PDF
King spring2016v1.8
Catherine King
 
PDF
Article on The Electronic Health Record
Anurag Deb
 
PDF
Digital Health and Remote Monitoring Devices: the Impact of COVID-19 on Their...
Greenlight Guru
 
PDF
From Servers to Medical Devices
Plan de Calidad para el SNS
 
PPTX
IoT Slam Healthcare 12-02-2016
Great Bay Software
 
IRJET- Hiding Sensitive Medical Data using Encryption
IRJET Journal
 
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
Alessandro Sappia
 
[Wroclaw #6] Medical device security
OWASP
 
Challenges and-opportunities-in-software-driven-medical-sciences
PEPGRA Healthcare
 
IRJET- Mobile Assisted Remote Healthcare Service
IRJET Journal
 
Post Market Surveillance: If a Device is FDA Cleared or Approved, or EU CE Ma...
Greenlight Guru
 
Ijcet 06 06_004
IAEME Publication
 
Healthcare Data Breaches: Biometric Technology to the Rescue
IRJET Journal
 
IRJET- Android base Healthcare Monitoring and Management System using IoT
IRJET Journal
 
The post-COVID Value Shift & How MedTech Companies can Capitalize
Greenlight Guru
 
SECURED FRAMEWORK FOR PERVASIVE HEALTHCARE MONITORING SYSTEMS
ijscai
 
Classifying Medical Devices
EMMAIntl
 
RiskWatch for HIPAA Compliance™
CPaschal
 
G03406041045
theijes
 
King spring2016v1.8
Catherine King
 
Article on The Electronic Health Record
Anurag Deb
 
Digital Health and Remote Monitoring Devices: the Impact of COVID-19 on Their...
Greenlight Guru
 
From Servers to Medical Devices
Plan de Calidad para el SNS
 
IoT Slam Healthcare 12-02-2016
Great Bay Software
 
Ad

Similar to The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity (20)

PDF
Acus intel medical_devices
atlanticcouncil
 
PDF
The Healthcare Internet of Things: Rewards and Risks
atlanticcouncil
 
PDF
Medical technologies and data protection issues - food for thought
Renato Monteiro
 
PPTX
Cybersecurity in Medical Devices
Sheersha Pramanik 🇮🇳
 
PDF
Medical Device Cybersecurity : A Regulatory Perspective
Jon Lendrum
 
PDF
Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...
IJCI JOURNAL
 
DOCX
NEST – Improving the Regulatory Process for Medical Devices
EMMAIntl
 
PDF
Privacy and Security by Design
Unisys Corporation
 
PPTX
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
PDF
Security for Implantable Medical Devices (IMDs)
HCL Technologies
 
DOCX
MMHA 6600 WU Technology and The Future in Healthcare Discussion.docx
4934bk
 
DOCX
Wireless Medical Devices
EMMAIntl
 
DOCX
A Proposed Framework for Regulating AI Based Applications in SaMD
EMMAIntl
 
PDF
journal papers.pdf
KSAravindSrivastava
 
PPTX
Protecting Privacy, Security and Patient Safety in mHealth
TAOklahoma
 
PDF
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
IRJET Journal
 
DOCX
Data Mining as A Service in Medical Devices
EMMAIntl
 
DOCX
Cybersecurity for Active Implantable Medical Devices.docx
I3CGLOBAL
 
PDF
DHHS ASPR Cybersecurity Threat Information Resources
David Sweigert
 
DOCX
A Survey on Current Applications for Tracking COVID-19
EMMAIntl
 
Acus intel medical_devices
atlanticcouncil
 
The Healthcare Internet of Things: Rewards and Risks
atlanticcouncil
 
Medical technologies and data protection issues - food for thought
Renato Monteiro
 
Cybersecurity in Medical Devices
Sheersha Pramanik 🇮🇳
 
Medical Device Cybersecurity : A Regulatory Perspective
Jon Lendrum
 
Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...
IJCI JOURNAL
 
NEST – Improving the Regulatory Process for Medical Devices
EMMAIntl
 
Privacy and Security by Design
Unisys Corporation
 
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
Security for Implantable Medical Devices (IMDs)
HCL Technologies
 
MMHA 6600 WU Technology and The Future in Healthcare Discussion.docx
4934bk
 
Wireless Medical Devices
EMMAIntl
 
A Proposed Framework for Regulating AI Based Applications in SaMD
EMMAIntl
 
journal papers.pdf
KSAravindSrivastava
 
Protecting Privacy, Security and Patient Safety in mHealth
TAOklahoma
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
IRJET Journal
 
Data Mining as A Service in Medical Devices
EMMAIntl
 
Cybersecurity for Active Implantable Medical Devices.docx
I3CGLOBAL
 
DHHS ASPR Cybersecurity Threat Information Resources
David Sweigert
 
A Survey on Current Applications for Tracking COVID-19
EMMAIntl
 
Ad

More from Valdez Ladd MBA, CISSP, CISA, (7)

PDF
Software data privacy threat analysis metric using no trust privacy risk metric
Valdez Ladd MBA, CISSP, CISA,
 
PDF
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
Valdez Ladd MBA, CISSP, CISA,
 
PDF
Cloud Breach - Forensics Audit Planning
Valdez Ladd MBA, CISSP, CISA,
 
PDF
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
Valdez Ladd MBA, CISSP, CISA,
 
PDF
Risk Management of Medical Devices Connected To IT Networks
Valdez Ladd MBA, CISSP, CISA,
 
PPT
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
PPT
HIPAA HITECH E-Prescribing / E-Prescription
Valdez Ladd MBA, CISSP, CISA,
 
Software data privacy threat analysis metric using no trust privacy risk metric
Valdez Ladd MBA, CISSP, CISA,
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
Valdez Ladd MBA, CISSP, CISA,
 
Cloud Breach - Forensics Audit Planning
Valdez Ladd MBA, CISSP, CISA,
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
Valdez Ladd MBA, CISSP, CISA,
 
Risk Management of Medical Devices Connected To IT Networks
Valdez Ladd MBA, CISSP, CISA,
 
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
HIPAA HITECH E-Prescribing / E-Prescription
Valdez Ladd MBA, CISSP, CISA,
 

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
KodekX | Application Modernization Development
KodekX
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Cloud computing and distributed systems.
kkkkkhan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity

  • 1. The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity Published originally for ISSA Journal, September 2013 issue (www.ISSA.org) Authors: Pam Gilmore, BS Business Administration, ISSA Raleigh, NC member. Valdez Ladd, CISSP, CISA, COBIT 4.1, CIW-SP, CNSS NSTISSI 4011 ISSP, MBA. MAIA, Member ISO Technical Committee 215 Health Informatics Working Group 4 - Privacy & Security Abstract: In June 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance: “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. This was followed on August by the FDA's “Radio Frequency Wireless Technology in Medical Devices Guidance for Industry and Food and Drug Administration Staff”. This article is intended for the customer facing risk managers, sales staff, and IT staff of a medical device manufacturer and their medical doctors and IT hospital and clinical counterparts. It is intended to give an overview and highlight process considerations for incident management and reporting of cybersecurity issues. Disclaimers: This article is an IT security awareness document only. It is not to be considered an official FDA document guide or consulting tool. Please seek legal counsel and consult your own corporate IT security along with any additional external professional expertise as deemed necessary for your business. Also note that the views expressed here in this article are those of the authors soley and do not necessarily reflect the positions of any current or former employers or organizations.
  • 2. In June 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance on titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. Its goal is to begin the process of bringing network connected or accessible medical device's cybersecurity under their jurisdiction. This draft will be accessible for public comment until mid-September 2013. Final rules are expected to be published in early 2014. Healthcare is a high security environment. One which is constantly under constant attack. It is always combating the risk of exposure of protected patient health information (PHI). This requires using technical, administrative, and physical security controls for network connected medical devices. Though mobile smartphone and table applications are not covered currently, it is a good assumption that a security requirement is coming modelled on the current network device connected draft that this research paper covers. Therefore it is important that information technology (IT) security professionals not view this FDA draft through the prism of the customary CIA (confidentiality, integrity & availability) triad. It is too limited for use within the medical sector. A better heuristic is the more complete PAINS, (privacy, availability, authentication, integrity, non-repudiation and safety) to account for the stringent demands of medical devices and applications for patient requirements. (Sloan) 1. Sloane , Elliot B. (PAINS) “Medical Device Security HITECH-AARA and FDA related Security Issues”-NIST/OCR HIPPA Conference, (11, 12 May 2010) – http://csrc.nist.gov/news.../HIPAA.../1-4-health-devices-sloane-drexel.pdf Though it surprised some people outside the medical field, it can be seen as regulations trying to catch up to the explosion of Internet and network devices. This ranges from implanted devices such as insulin pumps, patient medical imaging storage, and wireless medical BYOD devices to X-Ray, MRI, ultrasound units, and other diagnostic equipment. Though this is a US regulation, it is sure to influence many other nations across the world as they consider their medical device review, acceptance, and procurement processes and laws to address cybersecurity risks to patients and their privacy. see figure 1. 2. ElBoghdady, Dina. Health apps under the microscope. 2012. Photograph. chicagotribune.com, Chicago. Web. 7 17 2013. <http://articles.chicagotribune.com/2012-06-26/business/ct-biz-0626-health-apps-20120626_1_smartphone-application- mobile-apps-android>. Illustration 1: (El Boghdady)
  • 3. While the FDA document did not reference outside technical reference there are several useful expert authoritative documents to consider. First the NIST SP 800-124 Revision 1 covers securing both organization-provided and personally-owned (bring your own device) mobile devices. Also the NIST Special Publication 800-53 (Rev. 4) and 800-53A (Rev. 1) Security Controls and Assessment Procedures for Federal Information Systems and Organizations should be added to the list. Finally be familiar with ISO/DTR 17522 Health informatics --Provisions for Health Applications on Mobile/Smart Devices 2013-01-29 30.20 and ISO/AWI TR 80001-Application of risk management for IT-networks incorporating medical devices. Existing Quality documentation processes for existing regulated device error reporting will have to include cybersecurity knowledge or subject matter expertise. This will allow for capturing relevant data in the case of a fast moving major security incident. This information should be made available to the medical device manufacturer's technical support per modality (ultrasound, X-Ray, blood serum diagnostic, etc.,) and quality control staff. Each may have training for serious incident hazard reporting, but will need to incorporate cybersecurity. This process will require expert training and review so their reporting processes can be efficient and compliant. The degree of harm caused by a major virus infection, rootkit or other malware can be extensive and possibly fatal. Time will be essential as mobile medical devices increase grows and connection via wireless networks grows. The same will be true for stationary and mobile imaging devices. Professional expertise will be needed for the preliminary incident. Basic data gathering only can be handled over the telephone with the customer. Beyond the basic five questions of who, what, when, where, and how (if possible) will require more training and on-site investigation by the manufacturer’s experts for the malware affected medical device. Semi-automated forensic hardware-and-software tool and processes have to be made available for deployment by device manufacturers in the USA and other countries that adopt similar levels of assurance and investigation. The manufacturer's customer facing IT and modality engineer staff will face growing to incorporate first responder capabilities within this area. Wireless Radio Frequency (RF) Devices The FDA's “Radio Frequency Wireless Technology in Medical Devices Guidance for Industry and Food and Drug Administration Staff” pressures manufacturers to consider the use of wireless technology in their medical devices. Also it encourages a risk based assessment of RF wireless technology in the device's design. The report states “The correct, timely, and secure transmission of medical data and information is important for the safe and effective use of both wired and wireless medical devices and device systems”. see figure 2. FDA (2013, August 13). Radio Frequency Wireless Technology in Medical Devices. http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/4GuidanceDocuments/ucm077210.htm
  • 4. The newest and fast growing area in medicine is bring-your-own-device (BYOD). The range of services and medical references that doctors and clinical staff have at their disposal is a powerful incentive to use the smartphone, tablet or other mobile device they have learned and mastered. However as one security expert stated,” Wireless implantable devices and other patient monitoring equipment "could be a back door into your network," noted Peter Swire, an Ohio State University law professor and former presidential adviser on privacy issue”. (Desta) 3. Desta, A.,"Content of Premarket Submissions for Management of Cybersecurity in Medical Devices-Draft guidance or Industry and Food and Drug Administration Staff.US-FDA (2013, 06) - http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments 4. csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pd 5. csrc.nist.gov/publications/nistpubs/800-53A.../sp800-53A-rev1-final.pdf 6. csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf 7. www.iso.org/iso/catalogue_detail.htm?csnumber=59949 FDA Cybersecurity Draft details: On June 13, 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance on titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Draft Guidance for Industry and Food and Drug Administration Staff”. It proposes cybersecurity controls should be incorporated into vulnerable medical devices that are connected via wireless, Internet and wired networks. The documentation for this mainly contained in the Premarket Notification (510(k) and approval process for new medical devices. Illustration 2: (Gollakota)
  • 5. In addition to the draft guidance, the FDA published a FDA Safety Communication. It was addressed to medical device manufacturers and their engineers. It was intended for our nation’s hospitals, clinics, and other health care facilities including their health care information technology (IT), and procurements staff. This was due to increased publications of cybersecurity issues. prominent publication was when the US Government Accountability Office (GAO) issued a report titled, “Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices” on August 31, 2013. (GAO) Later in January 2013 cybersecurity Cylance researchers Billy Rios and Terry McCorkle discovered default embedded passwords for a Phillips, Inc. medical systems. They contacted the company to communicate the vulnerabilities. However when no response came they contacted the US Dept. of Homeland Security. (DHS), the Federal Drug Administration (FDA) and the US Industrial Control Systems Cyber Emergency Response Team (ICS CERT) to persuade Phillips, Inc. to correct the security flaws quickly. In addition Cyberlance's Mr. Rios and Mr. McCorkle examined and discovered vulnerabilities and weak access controls in almost 300 medical devices. An alert published on the US government's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) website, cited research from Billy Rios and Terry McCorkle of the cyber security firm Cylance Inc., who said they have identified more than 300 pieces of medical equipment that are vulnerable to cyber-attacks to their firmware, embedded passwords and weak authentication. They include surgical and anaesthesia devices, ventilators, drug infusion pumps, patient monitors and external defibrillators. 8. ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01, The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). (13 June, 2013). Retrieved from http://www.gao.gov/products/GAO-12-816 Note the public draft has non-binding recommendations open for the public until mid-September after ninety (90) days have passed since its June 13th publication. Final rules would follow and go into effect next year in 2014. The draft itself states that in principle the cybersecurity requirements should be as least burdensome as practical, while still meeting requirements. Patches to medical devices for updating cybersecurity would not require FDA approval unless patient safety is affected. This include Anti-Virus updates. “Manufacturers should develop a set of security controls to assure medical device cybersecurity to maintain the information’s [data] confidentiality, integrity, and availability. This goal of avoiding compromised device functionality implicitly includes data at in-motion on the network and at-rest on the medical devices.” 9. GAO. MEDICAL DEVICES, FDA Should Expand Its Consideration of Information Security for Certain Types of Devices (31 August, 2012). Retrieved from http://www.gao.gov/products/GAO-12-816 10. Marianne Kolbasuk McGee, “Medical Device Security: A New Focus, Former Presidential Privacy Adviser Addresses Mobile Security (15 April, 2012) - http://www.healthcareinfosecurity.com/interviews/medical-device-security-new-focus-i-1882 11. Abiy Desta, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Draft Guidance for Industry and Food and Drug Administration Staff" (14 June 2013) - http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf 12. Op. Cit GAO 13. Darren Pauli, "Patient Data Revealed in Medical Device Hack", (17 Jan 2013) - http://www.scmagazine.com.au/News/329222,patient-data-revealed-in-medical-device-hack.aspx 14. Ransdell Pierson, Jim Finkle.,"FDA urges protection of Medical Devices from Cyber Threats" (13 June 2013) - http://www.reuters.com/article/2013/06/14/us-devices-cybersecurity-fda-idUSBRE95C1IB20130614
  • 6. Prior FDA Cybersecurity guidance: Since medical devices that were not originally designed with networking capabilities were isolated from the growing number of hospitals with local area networks (LAN) running TCP/IP their usefullnes was seen as diminished. Hospitals wanted more capabilities without buying totally new expensive medical devices. Manufacturers responded by connecting their medical devices with computer workstations running TCP/IP. This was important as the use of digital imaging of patient radiological (X-Ray & CT) and ultrasound images became more prominent. The FDA responded with it draft report the "Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software,” issued on January 14, 2005. It noted that manufacturers would generally not be reportable as a correction or removal under 21 C.F.R. part 806, “because most software patches are installed to reduce the risk of developing a problem associated with a cybersecurity vulnerability and not to address a risk to health posed by the device". The FDA was setting boundaries on liability for software patches to enhance safety without penalty to medical device manufacturers. It was an important and needed step for medical device cybersecurity. Risk Analysis: Below is a list of the risk analysis that the FDA's cybersecurity was invoking using many of the concepts found in the NIST special publications for cybersecurity. Note the documentation requirements are generic to many risk analysis at the design stage. Building security into a product at the design stage is always considered cheaper, more reliable and manageable. Bolting on security solutions or compensating controls after a product launch is more expensive and difficult to defend against highly skilled hackers. Under FDA 21 CFR 820.30(g) the risk analysis includes three requirements. First Identification of assets, threats, and vulnerabilities and the impact assessment of their exploit probability. Next the determination of risk levels and suitable compensating controls. Finally the residual risk assessment and risk acceptance criteria for the medical device must be included to complete the risk analysis. - Intentionally left blank -
  • 7. Security Capabilities Access Controls • Remove “hardcoded” passwords (those that can not be changed) • Limit Access to Trusted Users who are authenticated with multi-factor authentication • Employ role based access control with time limited user sessions • Physical locks on devices must be used and on their communication ports when possible 15. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments /UCM356190.pdf Incident Response Ensuring Trusted Content is another requirement. Trusted software or firmware updates with strong authentication is the foundation for this functionality. This leads to software whitelisting, blacklisting (anti-virus), and secure software code signing becoming part of the security design. This will also require secure data transfers to and from the medical device using encryption and with authentication, authorization and accounting (AAA). While people and processes are listed as parts within the scope of the solution. The creation of a customer notification system that is standarized, procedurized and accessible to the hospital IT staff so that authorized users can download the correct dentifiable software and firmware updates from the manufacturer in cases of incident responses. Note that the range of security for existing devices and their current design will limit their security capabilities. For example implantable medical devices use simple PIN codes similar to a bank ATM. Smartphone and tablets have more computing power and can support encryption with authentication, authorization and accounting (AAA). Use Fail-Safe and Recovery Features The FDA specifice the mplementation of fail-safe device features that protect the device’s critical functionality, even when the device’s security has been compromised. These features allow for security breaches to be recognized, logged, and acted upon. Also it provide methods for forensic retention and recovery of device configuration by an authenticated system administrator. This allows the medical technician, or clinical staff to ramp down a treatment or examination for patient safety when notified of a security breach.
  • 8. Logging Today major diagnostic and radiological examination devices are often remotely monitored by medical device manufacturers for maintenance purposes. Mobile medical devices will need added capacity for logging more diagnostic data. While medical implants such as pacemakers and insulin pumps have very limited logging capabilites. Therefore forensic investigation using device logging will vary depending on the medical devices. 16. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments /UCM356190.pdf Forensics Forensics data and evidence now must be captured within the medical device manufacturer's Hazard Report which will be produced when any medical device incident occurs. This is an existing standard report. So, the forensics will only need to be appended to the medical manufacturer's FDA complaint handling processes. This will drive demand for greater numbers of medical device forensic specialist by manufacturer's. HIPAA Privacy rules many be in conflict with the forensic rules unless addition compensating privacy controls are put into place. Cybersecurity Design Documentation The 501(K) premarket submission by the medical device manufacturers should provide attestment with supporting documentaton of the cybersecurity design of their medical device. Rather than going over each requirements which is highly redundant; we will highlight the most critical areas not covered earlier. This will better serve the reader. 1. Hazard analysis, mitigations, and design This documentation considers both intentional and unintentional cybersecurity risks associated with the medical device under review. This is an important liability issue as the definition for unintentional risks will need clarification in the future. Does the principal of unintended consequences (R. Merton) come into scope? Every Security design is a trade off between usability and security. How will the FDA judge this as unintend risks are not the ones intended by the medical device's purposeful design elements? 17. Merton, Robert K."The Unanticipated Consequences of Purposive Social Action". American Sociological Review 1 (6): 895. August 21, 2013. http://www.d.umn.edu/cla/faculty/jhamlin/4111/2111-home/CD/TheoryClass/Readings/MertonSocialAction.pdf
  • 9. 2. Security Requirements Traceability Matrix The key document for the Hazard analysis, mitigations, and design process will be the Traceability Matrix (Security Requirements Traceability Matrix ) document. It will link the actual intentional and unintentional cybersecurity controls to the cybersecurity risks that were considered at the time of design. The security requirements traceability matrix (STRM) should identify all IT security requirements for the medical device's design per the FDA. In addition it will map the the requirements to the existing IT security policy framework of the medical device manufacturer. Lastly it should serve as an IT policy assessment checklist for internal and external auditors. 18. The Institute of Internal Auditors (2008). 12 Steps to IT Security Compliance. Gap News,3(1). Retrieved from http://www.theiia.org/gap/index.cfm?act=GAP.printa&aid=2464 Anti virus (AV) The FDA has called for an end to the tug-of-war between hospitals and medical device manufacturers over anti virus software. Higher pricing for customized anti virus software from manufacturers was justified by FDA safety mandates per manufactures to avoid damage to the device's operation while patients are being treated. However many hospitals and clinics have had their own anti virus contracts under theirr own central administration. Now the FDA is mandating that detailed instructions for the end-user operations and product specifications related to recommended anti-virus (AV) software and any device firewall settings. This includes both the manufacturer's recommended use of anti-virus software safely. It also includes how the hospital should use and operate their own anti-virus software safely equally. Again the issue of liability in case of an AV infection by a hospital using the manufacturer's instructions for third party AV software will have to be resolved by the FDA or a court of law later. Summary: The FDA's guidance raises the standard for cybersecurity and risk management for the medical devices. Newer devices sold starting in 2014 and afterward when the final cybersecurity guidance takes effect will over time phase out older less secure networked medical devices. The FDA's goal of managing the medical device's cybersecurity product life-cycle from design to operation to disposal is timely and needed. Overtime this standard may become de facto for purchasers world wide of networked medical devices. PAINS, (privacy, availability, authentication, integrity, non-repudiation and safety) will become key components of the medical devices security risk analysis. It will serve to reinforce the scope of patient and device risks. It can be expected that the FDA cybersecurity guidance will strengthen the HIPAA Privacy Rule and Security Rule in the areas of risk analysis and mitigation also. Though a work in progress it presents another avenue of reducing the attack surface of the medical operations for hospitals and clinics. Therefore the increased cybersecurity of medical devices that the FDA is working on in its draft guidance is a positive for reducing risk to patients and their privacy. Hospitals and medical device manufacutrers will have to establish new processes and procedure to communicate and work together to create a successful transformation. This convergence of security, risk management and secure product design may be seen as a future model of cybersecurity for other regulated industries.
  • 10. 19.”FDA Safety Communication: Cybersecurity for Medical Devices and hospital Networks”, (6 June 2013) - http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm 20. Sloane, Elliot B. (PAINS) “Medical Device Security HITECH-AARA and FDA related Security Issues”-NIST/OCR HIPPA Conference, (11, 12 May 2010) – http://csrc.nist.gov/news.../HIPAA.../1-4-health-devices-sloane-drexel.pdf