Debrief: Collaborative Approaches to Medical Device Cybersecurity – Drug and Device Digest

FDA Meeting Debrief

Moving Forward: Collaborative Approaches to Medical Device Cybersecurity

FDA White Oak Campus

Jan 20-21, 2016

Organizer:

FDA – CDRH
Chair: Suzanne Schwartz, MD, MBA, Associate Director for Science and Strategic Partnerships

C0-Sponsors:

National Health Information Sharing Analysis Center
Dept. of Health and Human Services
Dept. of Homeland Security

Panelists: FDA, Industry, Academia, Profit & Nonprofit Cybersecurity Alliances, National Health Information Centers, Healthcare Systems

Issue: Medical device vulnerabilities can serve as access points for entry into hospital and health care facility networks leading to compromise of data confidentiality, integrity, and availability

Objective: Engage diverse stakeholders across medical device ecosystem to discuss and identify approaches to address unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity. The attention should be on ‘total product life cycle’ – from design to obsolescence

Meeting Discussions:

FDA

Has issued 2 guidances and has evaluated information contained in premarket submissions.

Premarket Cybersecurity Guidance (finalized 2014) emphasizes (a) shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers (b) addressing cybersecurity during the design and development (c) establishing cybersecurity design inputs, vulnerability and management approach as part of software validation and risk analysis
Observation of Premarket submissions (2014-2015) indicated deficiencies in cybersecurity information as defined by the guidance
Postmarket Cybersecurity Guidance (draft issued 1/2015) emphasizes (a) collaborative approach to information sharing and risk assessment (b) manufacturer responsibilities by leveraging existing Quality System Regulation (c) alignment with Presidential Executive Orders and NIST Framework (d) Incentivizing the “right” behavior (e) using risk-based approach to addressing public health risks

Panel and Breakout Sessions

Panel experience and best practice sharing across several topics

Cyber threat landscape, implementation of NIST, Information Sharing and Analysis Organization (ISAO), Postmarket vulnerability handling and disclosure, manufacturing challenges, addressing gaps and challenges to strengthening cybersecurity, current activities in healthcare and public health sector, risk assessment tools, adapting and implementing medical device cybersecurity

Breakout sessions involving 400 attendees to share opinions and proposals for ISAOs, Coordinated vulnerability disclosure, gaps and action plan

Key Takehomes:

Cybersecurity is critical for total product lifecycle and is a collaborative effort across multiple stakeholders. Recognition of hackers ‘from hoodies to business suits’

There should be information sharing (profit/nonprofit organization) and collaborative discussion of setting of cybersecurity standards, conformity assessments and certifications across all stakeholders to strengthen the ecosystem; consideration of centralized listing

Experience from other sectors (eg banking, homeland security) can be leveraged; however, medical device approach needs to be grounded in context of patient safety and effectiveness