FDA Meeting Debrief
Moving Forward: Collaborative Approaches to Medical Device Cybersecurity
FDA White Oak Campus
Jan 20-21, 2016
Organizer:
- FDA – CDRH
- Chair: Suzanne Schwartz, MD, MBA, Associate Director for Science and Strategic Partnerships
C0-Sponsors:
- National Health Information Sharing Analysis Center
- Dept. of Health and Human Services
- Dept. of Homeland Security
Panelists: FDA, Industry, Academia, Profit & Nonprofit Cybersecurity Alliances, National Health Information Centers, Healthcare Systems
Issue: Medical device vulnerabilities can serve as access points for entry into hospital and health care facility networks leading to compromise of data confidentiality, integrity, and availability
Objective: Engage diverse stakeholders across medical device ecosystem to discuss and identify approaches to address unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity. The attention should be on ‘total product life cycle’ – from design to obsolescence
Meeting Discussions:
FDA
Has issued 2 guidances and has evaluated information contained in premarket submissions.
- Premarket Cybersecurity Guidance (finalized 2014) emphasizes (a) shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers (b) addressing cybersecurity during the design and development (c) establishing cybersecurity design inputs, vulnerability and management approach as part of software validation and risk analysis
- Observation of Premarket submissions (2014-2015) indicated deficiencies in cybersecurity information as defined by the guidance
- Postmarket Cybersecurity Guidance (draft issued 1/2015) emphasizes (a) collaborative approach to information sharing and risk assessment (b) manufacturer responsibilities by leveraging existing Quality System Regulation (c) alignment with Presidential Executive Orders and NIST Framework (d) Incentivizing the “right” behavior (e) using risk-based approach to addressing public health risks
Panel and Breakout Sessions
Panel experience and best practice sharing across several topics
Cyber threat landscape, implementation of NIST, Information Sharing and Analysis Organization (ISAO), Postmarket vulnerability handling and disclosure, manufacturing challenges, addressing gaps and challenges to strengthening cybersecurity, current activities in healthcare and public health sector, risk assessment tools, adapting and implementing medical device cybersecurity
Breakout sessions involving 400 attendees to share opinions and proposals for ISAOs, Coordinated vulnerability disclosure, gaps and action plan
Key Takehomes:
- Cybersecurity is critical for total product lifecycle and is a collaborative effort across multiple stakeholders. Recognition of hackers ‘from hoodies to business suits’
- There should be information sharing (profit/nonprofit organization) and collaborative discussion of setting of cybersecurity standards, conformity assessments and certifications across all stakeholders to strengthen the ecosystem; consideration of centralized listing
- Experience from other sectors (eg banking, homeland security) can be leveraged; however, medical device approach needs to be grounded in context of patient safety and effectiveness
- Device manufacturers should follow the principles of Premarket Cybersecurity Guidance
ACTION : All stakeholders to review and comment on the draft Postmarket Cybersecurity Guidance by April 21, 2016
Graphic Memorialization:
By Stephanie Brown @stephscribes
Guidances:
Premarket Cybersecurity Guidance
Postmarket Cybersecurity Guidance