Debrief: Collaborative Approaches to Medical Device Cybersecurity – Drug and Device Digest

FDA Meeting Debrief

Moving Forward: Collaborative Approaches to Medical Device Cybersecurity

FDA White Oak Campus

Jan 20-21, 2016

Organizer:

  • FDA – CDRH
  • Chair:  Suzanne Schwartz, MD, MBA, Associate Director for Science and Strategic Partnerships

C0-Sponsors:

  • National Health Information Sharing Analysis Center
  • Dept. of Health and Human Services
  • Dept. of Homeland Security

Panelists: FDA, Industry, Academia, Profit & Nonprofit Cybersecurity Alliances,  National Health Information Centers, Healthcare Systems

Issue: Medical device vulnerabilities can serve as access points for entry into hospital and health care facility networks leading to compromise of data confidentiality, integrity, and availability

Objective: Engage diverse stakeholders across medical device ecosystem to discuss and identify approaches to address unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity. The attention should be on ‘total product life cycle’ – from design to obsolescence

Meeting Discussions:

FDA

Has issued 2 guidances and has evaluated information contained in premarket submissions.

  • Premarket Cybersecurity Guidance (finalized 2014) emphasizes (a) shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers (b) addressing cybersecurity during the design and development (c) establishing cybersecurity design inputs,  vulnerability and management approach as part of software validation and risk analysis
  • Observation of Premarket submissions (2014-2015) indicated deficiencies in cybersecurity information as defined by the guidance
  • Postmarket Cybersecurity Guidance (draft issued 1/2015) emphasizes (a) collaborative approach to information sharing and risk assessment (b) manufacturer responsibilities by leveraging existing Quality System Regulation (c) alignment with Presidential Executive Orders and NIST Framework (d) Incentivizing the “right” behavior (e) using risk-based approach to addressing public health risks

Panel and Breakout Sessions

Panel experience and best practice sharing across several topics

Cyber threat landscape, implementation of NIST, Information Sharing and Analysis Organization (ISAO), Postmarket vulnerability handling and disclosure, manufacturing challenges, addressing gaps and challenges to strengthening cybersecurity, current activities in healthcare and public health sector, risk assessment tools, adapting and implementing medical device cybersecurity

Breakout sessions involving 400 attendees to share opinions and proposals for ISAOs, Coordinated vulnerability disclosure, gaps and action plan

Key Takehomes:

  • Cybersecurity is critical for total product lifecycle and is a collaborative effort across multiple stakeholders. Recognition of hackers ‘from hoodies to business suits’
  • There should be information sharing (profit/nonprofit organization) and collaborative discussion of setting of cybersecurity standards, conformity assessments and certifications across all stakeholders to strengthen the ecosystem; consideration of centralized listing
  • Experience from other sectors (eg banking, homeland security) can be leveraged; however, medical device approach needs to be grounded in context of patient safety and effectiveness
  • Device manufacturers should follow the principles of Premarket Cybersecurity Guidance

ACTION : All stakeholders to review and comment on the draft Postmarket Cybersecurity Guidance by April 21, 2016

 Graphic Memorialization:

By Stephanie Brown @stephscribes

graphic.JPG

Guidances:

postmarket  Premarket

cyber

 

 

 

 

Premarket Cybersecurity Guidance

Postmarket Cybersecurity Guidance

Cybersecurity Page

Slides

 

 

 

 

Scroll to Top