The FDA’s center for devices and radiological health outlined its views and plans around the state of cybersecurity in the medical sector at the 2015 10x Medical Device Conference in San Diego in May.
The presentation was led by director of emergency preparedness operations and medical countermeasures Suzanne Schwartz, and included discussion of current issues, guidelines and how the agency hopes to approach cybersecurity issues within the medical sector in the future. Schwartz also touted the group’s collaborative platform, called Handshake, used to help track vulnerabilities and issues.
“If you were to ask me today, May 5th, 2015 how I would characterize our medical device ecosystem within the context of cybersecurity of course, these are some of the descriptors that come to mind,” Schwartz said. “Complex, evolving, highly diverse players and stakeholders, many with competing needs and conflicting areas of tension, volatile, unpredictable and uncertain. There is nothing, absolutely nothing that is static about this space.”
Schwartz said the medical device landscape had a large amount of players, from researchers and industry investors to end-users of the devices and medical patients, and that solving cybersecurity issues would require a “whole of community” approach.
“The takeaway here though is that no 1 organization, no single government agency, no sole stakeholder, manufacturer, healthcare facility, provider, information security firm is going to be able to solve these issues on their own. This requires what we consider a “whole of community” approach. Note that I didn’t say a “whole of government” approach because this is far more expansive than government alone,” Schwartz said.
Schwartz’s outlined 3 goals of the CDRH’s as raising awareness of the importance cybersecurity in healthcare through education and outreach, promoting safety and security of devices through design and regulatory expectations and promoting proactive vulnerability management.
“It doesn’t stop with the design. It doesn’t stop with the deployment of the device. It’s something that will require vigilance on a continuum,” Schwartz said. “Minimizing reactive approaches and then again that overarching thread that runs throughout all of these goals is that ability of fostering a “whole of community” approach.”
Schwartz said the CDRH is coordinating with the Department of Homeland Security, Department of Health & Human Services, the Industrial Control Systems Cyber Emergency Response Team and other federal partners to maintain awareness of any newly reported vulnerabilities, threats or exploits.
The CDRH held a workshop in October to discuss how individuals involved in the medical device spheres could collaborate to improve the cybersecurity of such devices.
Schwartz said this workshop led to the creation of the Handshake virtual collaboration tool, a platform launched in December after the workshop and administered by MITRE, the CDRH’s federally funded research & development center.
The platform is intended to provide a conversational space for individuals involved in the field to discuss issues relating to medical devices and cybersecurity, Schwartz said.
Schwartz also touched on the final guidance issued by the FDA in October last year, reinforcing that cybersecurity should be addressed during design and development, that design inputs related to cybersecurity should be established for devices and the importance of balancing security and usability.
Last October, Schwartz spoke on cyber vulnerabilities and issues within the medical device sphere, addressing the FDA’s new guidance on cybersecurity issues.
