Cybersecurity risks to the health and medical device sector continue to be front and center both in Congress and the executive branch, with increasing risks coming from nation states, nonstate actors and other attackers. The health sector is one of 16 Critical Infrastructure (CI) sectors as defined by the U.S. Department of Homeland Security (DHS).
On May 11, 2018, the House Appropriations Committee passed the FY-19 Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Bill with an accompanying report that provides funds as well as a new directive to the Food and Drug Administration (FDA) to address cybersecurity risks. That bill mandates that FDA release a plan within 120 days of the bill's passage to address "cybersecurity challenges in medical devices and outline a pathway forward." The Committee references a number of specific strategies in its report including the need to "prevent cyber threats from spreading across hospital systems." The language is reflective of the ongoing concerns and the increased need to manage and combat cyber risks to medical devices, especially implantable devices.
At the same time, DHS continues to issue medical device cybersecurity vulnerability alerts through the ICS-CERT process. The CERT process is designed to share risks and provide updates to users, owners and operators so they can more quickly take action to address and mitigate cyber vulnerabilities. DHS' most recent cyber medical device alerts were issued earlier this month and it has been issuing medical device alerts for the past five years, as early as 2013.
FDA continues to raise the flag as well about cybersecurity risks and in April 2017, they issued a new Medical Device Safety Action Plan which addresses cybersecurity as a risk to the underlying safety of the medical device. The report states "…when medical devices are "poorly designed, poorly made and improperly used,' they can threaten and impair life." The Plan includes five main goals, one of which is focused on cybersecurity risks. The section which includes multiple components, one of which is the potential to develop a CyberMed Safety Expert Analysis Board which could also function as a "go team" to investigate cybersecurity attacks either at a manufacturer or the FDA's request. In recent years, FDA has added cybersecurity risk in its Safety Communications alerts as well.
As background, the first known FDA recall due to cybersecurity risks to medical devices came in 2017. However, over the course of the last five years, FDA has taken numerous steps to highlight and raise cybersecurity concerns to the health and medical device sector.
-
In 2013, the FDA began addressing cybersecurity risks to medical devices and recommended health care facilities "take steps to ensure that appropriate safeguards are in place to reduce the risk of device failure due to cyber-attack."
-
In 2014, the FDA held informational webinars and public workshops to discuss the risk and promote cybersecurity best practices. defenses.
-
In 2016, the FDA held additional workshops with "diverse stakeholders to discuss complex challenges in medical device cybersecurity that impact the medical device ecosystem."
As with other sectors, regulators are making clear that cybersecurity risk is a systemic risk and as with medical devices, it is already contemplated in the regulatory structure. DHS and FDA view cybersecurity risk as a foundational risk to the underlying safety of the medical device itself, and as such, must be fully managed and mitigated. At the same time, the FDA has indicated new regulations may also be needed, so more guidance from FDA is expected in the future.