1

MEDICAL DEVICE CYBERSECURITY: AN FDA UPDATE

NCHICA AMC CONFERENCEJUNE 12, 2018

SUZANNE B. SCHWARTZ, MD, MBACDRH / FDA

ASSOCIATE DIRECTOR FOR SCIENCE & STRATEGIC PARTNERSHIPS

www.fda.gov

2

Bottom Line Up Front (BLUF)

• “Whole of community” approach: Collaboration is key• Security spans across the total product lifecycle• Impact on critical infrastructure within and across sectors• Shifting the mindset:

– Consider scenarios beyond “intended use”– Integrate threat modeling– Beware of using probabilistic determinations—these can

yield a false sense of security• Foster culture and create incentives that encourage

proactive behavior, especially for information-sharing• Major strides made AND acceleration necessary

www.fda.gov

3

First, A Word About Vulnerabilities• Vulnerabilities are ubiquitous• Vulnerability finders are not adversaries• Shared interest in protecting against

harm• Coordinated disclosure relies on mutual

respect and understanding of each party’s needs and constraints

• Leverage informational standards:– ISO/IEC 29147 Vulnerability Disclosure– ISO/IEC 30111 Vulnerability handling

Processes• Vulnerability Coordination Maturity

Model (VCMM)https://hackerone.com/blog/vulnerability-coordination-maturity-model

3

4

Medical Device Vulnerabilities • Network-connected medical devices

infected or disabled by malware• Malware on hospital computers,

smartphones/tablets, and other wireless mobile devices used to access patient data, monitoring systems, and implanted patient devices

• Uncontrolled distribution of passwords• Failure to provide timely security

software updates and patches• Security vulnerabilities in off-the-shelf

software designed to prevent unauthorized device or network access

4

5

Executive Orders (EO), Presidential Policy Directives, and Framework to Strengthen Cybersecurity and

Critical Infrastructure• EO 13636 (Feb 2013)

“We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”• PPD 21 (Feb 2013)• National Institute of Standards and Technology (NIST) Voluntary Framework

(v1.0 - Feb 2014, v1.1 - draft Jan 2017)• EO 13691 (Feb 2015) – establishment of Information Sharing and Analysis

Organizations (ISAO)• EO 13800 (May 2017) - "Strengthening the Cybersecurity of Federal Networks

and Critical Infrastructure” www.fda.gov

6

FDA Cybersecurity History

Executive OrdersFDA Safety CommunicationDraft Premarket GuidanceBegin Coordination with DHSRecognize StandardsEstablish Incident Response Team

Final Premarket GuidanceMOU with NH-ISACPublic Workshop

Product-Specific Safety CommBuild Ecosystem/Collaboration

2013

2014

2015

2016

Draft and Final Postmarket GuidancePublic WorkshopMOU with NH-ISAC/MDISS

2017

2005: Issued guidance 2008: Halpern, et.al. 2009: Issued safety communication2011: “Hacking” of implantable insulin pump (Radcliffe)2012: First recall of vulnerable software (Roche - PC Anywhere)2013: Recall of TNS-listener (Roche)

Product-Specific Safety Comm

1st Cybersecurity WL

2018

7

FDA Cybersecurity Work Products

8

Key Medical Device CybersecurityMyth Busters

• Myth: Manufacturers are not permitted to make updates to devices for cybersecurity without going back to FDA first for “re-certification”

• Fact: Most medical device software changes made solely to strengthen cybersecurity do not require pre-market review or product recall (there are some exceptions).

• Myth: Cybersecurity of medical devices is voluntary for medical device manufacturers and not enforceable.

• Fact: Medical device manufacturers are required by law to comply with all applicable regulations, including the quality system regulations (QSRs). The pre-and post-market cybersecurity guidances articulate that a comprehensive, structured and systematic cybersecurity risk management program is necessary under the Quality System Regulation.

9

Premarket Cybersecurity Guidance• Draft June 2013• Final October 2014• Key Principles:

– 1) Shared responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices

– 2) Address cybersecurity during the design and development of the medical device

– 3) Establish design inputs for devices related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g)

www.fda.gov

10

Key Principles of FDA PostmarketManagement of Cybersecurity in

Medical Devices• Use a risk-based framework to assure risks to

public health are addressed in a continual and timely fashion

• Articulate manufacturer responsibilities by leveraging existing Quality System Regulation and postmarket authorities

• Foster a collaborative and coordinated approach to information sharing and risk assessment

• Align with Presidential EOs and NIST Framework• Incentivize the “right” behavior

www.fda.gov

11

Cybersecurity – Assessing Risk

Assessment of impact of vulnerability on safety and essential performance of the medical device based on:

• Severity of Patient Harm (if the vulnerability were to be exploited)

• Exploitability

www.fda.gov

12

Assessing Exploitability with Common Vulnerability Scoring System (CVSS)

CVSS – Common Vulnerability Scoring System https://www.first.org/cvss

• Establish a repeatable process by leveraging existing frameworks (e.g. CVSS)

Base Scoring (risk factors of the vulnerability)Attack Vector (physical, local, adjacent, network) Attack Complexity (high, low) Privileges Required (none, low, high) User Interaction (none, required) Scope (changed, unchanged)

Confidentiality Impact (high, low, none) Integrity Impact (none, low, high) Availability Impact (high, low, none)

Temporal Scoring (risk factors that change over time)Exploit Code Maturity (high, functional, proof-of-concept, unproven) Remediation Level (unavailable, work-around, temporary fix, official fix, not defined) Report Confidence (confirmed, reasonable, unknown, not defined)

13

Postmarket Cybersecurity Risk Assessment

www.fda.gov

14

Changes to a Device for Controlled vs. Uncontrolled Risk

Risk of patient harm

Controlled

Uncontrolled

Changes are Cybersecurity routine updates and patches, device enhancements

Meet three criteria:

1. No adverse events2. Remediate within timeline3. Active participant in an ISAO

Part 806 report (Reports of Corrections and Removals) not required

Yes

Yes

Distinguishing Medical Device Recalls from Medical Device EnhancementsISAO (Information Sharing and Analysis Organization)

No

Part 806 report required

Changes are Cybersecurity routine updates and patches, device enhancements

No

15

Lessons Learned—Evolving Our Thinking

• Coordinated vs. non-coordinated disclosure of device vulnerabilities– Ability to get to ground truth as fast as possible so that mitigations can be

proactively communicated and executed in a timely manner• JnJ Animas Insulin Pump

– Non-coordinated disclosure results in delayed assessments, communications, and mitigations

• St Jude/Abbott pacemakers and ICDs• Impact on HPH critical infrastructure and potential disruption of

clinical care– Patching operating system is not routine with safety-critical systems

• WannaCry Global Cyber Attack (May 2017)• Petya/notPetya (July 2017)

– Delays in diagnosis/treatment intervention can result in patient harm too• Potential for remote, multi-patient (i.e., scaled) attack of highest

concern for harm

www.fda.gov

16

Medical Device Safety Action Plan: Advancing Medical Device Cybersecurity• Update 2014 premarket guidance• Consider seeking additional premarket and postmarket

authorities to: – Require that firms build capabilities to update and patch device

security into a product’s design and to include appropriate data supporting this capability in premarket submissions to FDA for review

– Require firms to develop a “Software Bill of Materials” (SBOM) and to share with customers

– Require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified

• Request appropriations for seeding establishment of a CyberMed Safety (Expert) Analysis Board (CYMSAB) functioning as a public-private model, and serving the ecosystem as a neutral entity

www.fda.gov

17

Key Takeaways

• “Whole of community” approach: Collaboration is key• Security spans across the total product lifecycle• Impact on critical infrastructure within and across sectors• Shifting the mindset:

– Consider scenarios beyond “intended use”– Integrate threat modeling– Beware of using probabilistic determinations—these can

yield a false sense of security• Foster culture and create incentives that encourage

proactive behavior, especially for information-sharing• Major strides made AND acceleration necessary

www.fda.gov

18

Thank You!Contacts:

CDRH mailbox, CyberMed@fda.hhs.govSuzanne Schwartz, Suzanne.Schwartz@fda.hhs.govAftin Ross, Aftin.Ross@fda.hhs.govCristina Dar, Cristina.Dar@fda.hhs.govSeth Carmody, Seth.Carmody@fda.hhs.gov

FDA Medical Device Cybersecurity Informational Webpage:https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm