Have you considered cybersecurity risk? FDA has just released the new draft guidance, “Postmarket Management of Cybersecurity in Medical Devices.”
“A growing number of medical devices are designed to be networked to facilitate patient care,” the agency writes in the draft. “Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats.”
Should cybersecurity be considered during the development of smart drug-delivery devices? We asked Ali Youssef, PMP CPHIMS CWNE, Senior Clinical Mobile Solutions Architect, Henry Ford Health, this question and more. He intends to cover traditional medical devices as well as smart drug-delivery devices on Wednesday, February 10 at the upcoming MD&M West 2016 conference in Anaheim, CA.
PMP: Medical device cybersecurity has been identified as a potential concern by FDA. When it comes to developing smart drug-delivery devices (such as devices that may interact with a digital device for tracking dosing or other patient activities), what cybersecurity risks are there, and how can drug and device companies minimize those risks to protect patients?
Youssef: When it comes to developing medical devices, it’s critical for manufacturers to focus on the entire system, taking into account the network environment of a clinic or hospital as well as the clinical efficacy of the device. There are risks associated with the device itself, as well as how the device interacts with the network and the rest of the hospital or clinic ecosystem. Some of the key areas that are of concern are:
1) End-users leveraging default, or shared passwords on the device or the network that the device is relying on.
a. Device manufacturers can create workflows to ensure that the passwords in use are sophisticated and difficult to decipher using dictionary attacks.
b. Discourage the use of Pre-shared keys, WEP, or TKIP and rather promote AES encryption and authentication.
2) Patient Data compromised, or intercepted.
a. Ensure that data is encrypted in transit as well as while at rest or being stored on the device.
3) Medical device being susceptible to attack from within or outside the network.
a. Manufacturers can take measures to ensure that only secure protocols are used to access the device configuration.
b. Work with the hospitals and clinics to implement role-based access controls to ensure that a given device can only access what it requires on the hospital or clinic network.
c. Work with the hospital to ensure that a defense in depth strategy is in place to protect medical devices and the data they transmit.
4) Underlying OS vulnerabilities.
a. Manufacturers should move away from using backend Operating Systems that are no longer supported such as Windows XP.
b. Promote regular security patch management.
c. Promote routine security audits.
5) Promoting redundancy.
a. Manufacturers can build a layer of redundancy in the device to ensure that if a given communication medium is disrupted, the device can continue to safely and effectively function.
It is difficult for medical device manufacturers to mimic a hospital network, so every measure should be taken to test the devices on test beds that are configured as closely as possible to a hospital network, or on the hospital network itself.
PMP: Does the concern about cybersecurity only apply to smart medical devices and drug-delivery devices used in hospitals, or would it also be a concern for smart devices that patients use at home (or on the go) that communicate with phone apps?
Youssef: It’s a concern in both arenas. The challenges are similar from a device security perspective regardless of where it is being used. When we introduce apps into the equation that adds another layer of complexity and a multitude of additional potential vulnerabilities.
If anything, in a hospital setting, there are usually security measures in place with traffic segmentation onto dedicated VLANs and robust firewalls. The typical home network environment typically lacks this level of security.
PMP: What can potential attendees expect to learn from your session?
Youssef: This session is intended for medical device manufacturers as well as hospital staff. I will cover typical medical device cybersecurity concerns with a focus on:
1) How device manufacturers can help alleviate some of these, and
2) How healthcare workers can take proactive measures to identify cybersecurity issues.
PMP: What actions do you hope attendees will take after attending your session?
Youssef: My hope is that medical device manufacturers will make an effort towards establishing test beds that are more IT network focused. The other side of this is to ensure that health systems implement robust test processes and device onboarding processes to try and proactively isolate potential security issues.
Here are details on Youssef’s presentation as well as those from a few other speakers at MD&M West (Feb. 9-11; Anaheim, CA):
Wednesday, February 10
1:25 pm -1:50 pm Assessing Medical Device Cyber Risk in Your Connected Device
- Recognizing various security threats to integrated medical devices
- Listing controls relevant to a medical device IT security assessment
- Exploring ways to manage risk when there is a cyber-security issue
Ali Youssef, Youssef, PMP CPHIMS CWNE, Senior Clinical Mobile Solutions Architect, HENRY FORD HEALTH SYSTEM
1:50 pm - 2:30 pm Panel: Managing Risk to Keep Data Secure and Patients Safe
- Overcoming the 3 main risk areas: patient safety, malicious activity, and data security
- Factors to consider during product design with an eye toward cyber security
- Recognizing cultural challenges such as availability vs. confidentiality of data and how to effectively deal with these in your organization
Moderator: Andrew Herger, Director of Engineering-IoT, DEDICATED COMPUTING
Michelle Longmire, MD, Founder, MEDABLE
Ali Youssef, PMP CPHIMS CWNE, Senior Clinical Mobile Solutions Architect, HENRY FORD HEALTH SYSTEM
Melissa Masters, RAC, Manager, Electrical, Software and Systems Engineering; Director, BATTELLE DEVICE SECURE SERVICES, BATTELLE
Also, FDA had held a public workshop on cybersecurity on January 20-21, 2016, entitled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.” It was held in collaboration with the National Health Information Sharing Analysis Center, the Department of Health and Human Services, and the Department of Homeland Security.
According to FDA’s draft guidance, “Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health.”