The Inherent Risks, Impacts of Security Decisions, and Practical Approaches – Best Practices to Prepare, Mitigate, and Otherwise Manage Vulnerabilities and Potential Cybersecurity Attacks
Continuing from our two prior posts in this three-part series on effectively addressing cybersecurity breaches in medical devices, this third and final post will focus on best practices to prepare, mitigate and otherwise manage vulnerabilities and potential cyber-attacks.
Best practices to prepare, mitigate, and otherwise manage vulnerabilities and potential cybersecurity attacks
The FDA has issued both pre-market considerations[i], which consists of proactively addressing vulnerabilities, and post-market considerations[ii], which consists of mitigation, remediation, and other risk management strategies, to aid in addressing today’s issues of medical device vulnerabilities and potential cybersecurity attacks on those devices. For more details on the FDA’s post-market guidance, see our prior series "FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices" posted in four parts here, here, here, and here.
The pre-market considerations include, (1) identifying assets, threats, and vulnerabilities; (2) assessing the impact of threats and vulnerabilities on device functionality and end users/patients; (3) assessing the likelihood of a threat and of a vulnerability being exploited; (4) determining risk levels and suitable mitigation strategies; and (5) assessing the residual risk and risk acceptance criteria.[iii] The manufacturer’s pre-market submission effectively includes the pre-market considerations that have been brainstormed thus far, such as all hazard analysis, mitigation and design considerations associated with the potential cybersecurity risks of a specific medical device, summary of plan for cybersecurity updates and patches, a matrix and summary showing and discussing cybersecurity controls and the risks they face, and device instructions for the specific product as to recommendations on how to properly use and secure the device.[iv]
Even after rigorous testing and risk assessment in the pre-market consideration and submission phase, given the rapid pace of technology today, medical device manufactures and companies should never stop evaluating the potential vulnerability of their devices or considering how to mitigate and remediate the same.[v] Mitigation is a risk management strategy used to minimize the impact of a cybersecurity attack on medical devices and the systems to which they are connected or networked, which takes into consideration the risk is the outcome of an attack and the aspect of security it affects.[vi] Remediation consists of an action or actions that are taken to reduce the risk to the medical device’s essential clinical performance to an acceptable level, including, but not limited to finding an official fix or solution to remove a cybersecurity vulnerability, using a compensating control, such as notifying the consumer base about a temporary fix or other work-around solution), to adequately mitigate the risk.[vii] One remediation strategy is to engage in cybersecurity “routine updates and patches,” which involves updates or enhancements or patches to a medical device. These updates and patches provide an increase in the medical device’s security and help to remediate the device’s vulnerabilities linked to the device’s controlled risk, while also not reducing the risk to a patient’s health. Such updates and/or patches included, but are not limited to, software, firmware, and hardware updates.
Other post-market considerations issued by the FDA include as follows: (1) monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk, which may require auditing of the network and immediately reporting any security breach,[viii] (2) understanding, assessing and detecting presence and impact of a vulnerability; (3) establishing and communicating processes for vulnerability intake and handling; (3) clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk; (4) adopting a coordinated vulnerability disclosure policy and practice; and (5) employing mitigations that address cybersecurity risk early and prior to exploitation.
Other all-around best practices[ix] discussed by the FDA have been to:
1. Limit access to only trusted users through the use of such things as passwords, usernames, smartcards, biometrics, automatic timers, and physical locks;[x]
2. Ensure that only trusted content is within the device and/or system by such means as restricting updates to the same or using encryption;[xi]
3. “Detect, respond, and uncover,” which can be accomplished by using procedures and features that alert security compromises, educate the end user(s) on detections of security breaches, and provide methods for retention and recovery of devices;[xii]
a. These elements are consistent with the National Institute of Standards and Technology Framework for Improving Cybersecurity Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond and Recover);[xiii]
4. Create a structured and systematic approach to risk management and quality management systems consistent with 21 CFR part 820, which would include methods to identify, characterize, and assess a cybersecurity vulnerability and methods to analyze, detect, and assess threat sources;[xiv]
5. Be proactive! Practice good cyber hygiene and reduce cybersecurity risks even when residual risk is acceptable;
6. Remediate by finding an official and/or temporary fix to cybersecurity vulnerabilities to reduce the risk of compromise to essential clinical performance to an acceptable level;
7. Keep in contact and maintain a solid, formal business relationship with any software vendors to ensure they are providing you timely information about any quality and/or security problems that you can correct and/or prevent; and[xv]
8. Incorporate elements consistent with the National Institute of Standards and Technology Framework for Improving Cybersecurity Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond and Recover).
The threat that a pacemaker will be hacked by foreign terrorists may be low, but the risk of devastating and life-threatening cybersecurity attacks in medical devices and healthcare is significant. To ensure the future protection of medical devices in a networked world, device manufacturers, regulatory bodies, healthcare providers and patients must engage in a coordinated proactive approach that includes standard cybersecurity assessment and control, together with specific medical device data and workflow considerations.
[i] U.S. Food and Drug Administration, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff, October 2, 2014.
[ii] U.S. Food and Drug Administration, Postmarket Management of Cybersecurity in Medical Devices, Draft Guidance for Industry and Food and Drug Administration Staff, January 22, 2016.
[iii] Supra, note 1.
[v] Patricia AH Williams, Andrew J Woodward, Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem, Med Devices (Auckl). 2015; 8: 305–316.
[vii] Supra, note 2.
[viii] Williams, Woodward, supra note 5.
[x] Supra note 1.
[xiv] Supra note 2.
[xv] U.S. Food and Drug Administration, Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software, May 28, 2015.