FDA wants to require timely updates, patches for legacy devices: cyber chief
Strengthening medical device cybersecurity has never been a more urgent priority. With the number of connected devices used in hospital networks rapidly increasing, everything from insulin pumps to implantable cardiac pacemakers are vulnerable to security breaches by hackers, putting the health and safety of patients at risk.
Ransomware and other cyberattacks on healthcare organizations have spiked during the COVID-19 pandemic, creating a potentially dangerous environment in the face of growing cybersecurity threats from increasingly sophisticated hackers. FDA has responded in part by creating a new leadership position in early 2021 at its Center for Devices and Radiological Health for overseeing medical device security.
Kevin Fu, a University of Michigan associate professor and longtime security advocate, was picked to serve a one-year term as acting director of medical device cybersecurity at CDRH. Fu’s appointment as FDA’s first medical device cyber chief was applauded by pundits as a sign the agency is making security a priority.
Fu provided a sobering assessment last month of the current state of medical device cybersecurity when he told the Food & Drug Law Institute annual conference that “everything is hackable.” He warned that devices infected by ransomware can be disabled from properly performing critical clinical functions, which could lead to patient harm.
One of the biggest cybersecurity challenges is defending older legacy medical devices against new cyber threats. Many devices in operation today — using outdated or insecure software, hardware and protocols — were not built with cyber protections in mind leaving healthcare organizations vulnerable to attack and putting the reputation and financial stability of device companies at risk.
MedTech Dive reached out to Fu, who is halfway through his tenure as an “expert in residence” at FDA, to get his take on medical device cybersecurity and how the agency’s regulatory policy can help address the vulnerabilities of devices.
Fu submitted written answers, which have been edited for clarity and brevity.
MEDTECH DIVE: As acting director of medical device cybersecurity at CDRH, what are your top priorities?
KEVIN FU: My position is within the CDRH Office of Strategic Partnerships & Technology Innovation and the new Digital Health Center of Excellence. My primary activities include envisioning a strategic roadmap for the future state of medical device cybersecurity, assessing opportunities for fully integrating cybersecurity principles through the lens of the Center’s Total Product Life Cycle model, training and mentoring CDRH staff for pre-market and post-market technical review of medical device cybersecurity, multi-stakeholder engagement across the diverse medical device and cybersecurity ecosystems, and fostering medical device cybersecurity collaborations across the federal government.
What would you rank as the top 3 medical device cyber risks, as you see them?
FU: The greatest cybersecurity risk today is unavailability, because a medical device unavailable to deliver patient care is not safe and effective. Ransomware and other threats can lead to unavailability. Long-term risks also include legacy outdated software that is difficult to keep secure and the need for thoughtful threat models during the early design of medical devices.
Will FDA be providing guidance on how manufacturers must address cybersecurity vulnerabilities in legacy devices?
FU: The finalized postmarket guidance on cybersecurity explains FDA’s present expectations for maintaining cybersecurity of deployed devices. The HHS FY21 budget justification also describes FDA’s proposed plans for legacy devices, especially on the topic of security patches for legacy devices.
The HHS FY21 Congressional budget justification states that currently there is no statutory requirement (pre- or post-market) that expressly compels medical device manufacturers to address cybersecurity. This proposal would advance medical device safety by ensuring FDA and the public have information about the cybersecurity of devices.
Specifically, FDA seeks to require that devices have the capability to be updated and patched in a timely manner; that premarket submissions to FDA include evidence demonstrating the capability from a design and architecture perspective for device updating and patching; a phased-in approach to a Cybersecurity Bill of Materials (CBOM), a list that includes but is not limited to commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities; and that device firms publicly disclose when they learn of a cybersecurity vulnerability so users know when a device they use may be vulnerable and to provide direction to customers to reduce their risk.
The proposal also seeks to improve proactive responses to cybersecurity vulnerabilities.
Can you quantify the problem of cyber vulnerabilities for legacy medical devices?
FU: Quantifying cyber vulnerabilities is very challenging. For instance, it’s important that medical device manufacturers provide Software Bill of Materials (SBOMs) to better understand exposure to risk of both known and future vulnerabilities in third-party software in legacy devices.
One area of quantitative opportunity is in applying the MITRE rubric for translating Common Vulnerability Scoring System (CVSS) scores into clinically relevant risk for medical devices. CVSS scores provide an IT-centric view of cyber risk. Medical devices instead need an OT (Operational Technology)-centric view of cyber risk. This is why FDA worked with the MDM community, healthcare providers, security experts and MITRE to come up with a “clinical rubric” that translates the CVSS risk calculus from the IT world to the clinical care OT world. In 2019, FDA formally qualified the MITRE Clinical Rubric for CVSS as a Medical Device Development Tool (or MDDT) to enable its use for quantifying cybersecurity risk of medical devices.
What is FDA doing to support the implementation of the Software Bill of Materials?
FU: FDA is actively engaged with the International Medical Device Regulators Forum on Software Bill of Materials (SBOMs) and is supportive of the NTIA effort on SBOM. The FDA response to NIST also includes passages on FDA’s support of SBOM as a key part of protecting medical device cybersecurity.
How big of a problem is ransomware and what are the potential threats to medical devices?
FU: Ransomware is a symptom of shortcomings in threat models during early medical device design. For instance, if a medical device depends on the real-time availability of a cloud, then a medical device needs to remain available for safe and effective therapy and diagnosis even if ransomware causes a disruption to the cloud. A medical device with an appropriate threat model for these foreseeable risks can then deliberately include design controls to withstand the deleterious effects of ransomware.