MEDICAL DEVICE CYBERSECURITY: AN FDA UPDATE · 2018-06-12 · 1 medical device cybersecurity: an...
Transcript of MEDICAL DEVICE CYBERSECURITY: AN FDA UPDATE · 2018-06-12 · 1 medical device cybersecurity: an...
1
MEDICAL DEVICE CYBERSECURITY: AN FDA UPDATE
NCHICA AMC CONFERENCEJUNE 12, 2018
SUZANNE B. SCHWARTZ, MD, MBACDRH / FDA
ASSOCIATE DIRECTOR FOR SCIENCE & STRATEGIC PARTNERSHIPS
www.fda.gov
2
Bottom Line Up Front (BLUF)
• “Whole of community” approach: Collaboration is key• Security spans across the total product lifecycle• Impact on critical infrastructure within and across sectors• Shifting the mindset:
– Consider scenarios beyond “intended use”– Integrate threat modeling– Beware of using probabilistic determinations—these can
yield a false sense of security• Foster culture and create incentives that encourage
proactive behavior, especially for information-sharing• Major strides made AND acceleration necessary
www.fda.gov
3
First, A Word About Vulnerabilities• Vulnerabilities are ubiquitous• Vulnerability finders are not adversaries• Shared interest in protecting against
harm• Coordinated disclosure relies on mutual
respect and understanding of each party’s needs and constraints
• Leverage informational standards:– ISO/IEC 29147 Vulnerability Disclosure– ISO/IEC 30111 Vulnerability handling
Processes• Vulnerability Coordination Maturity
Model (VCMM)https://hackerone.com/blog/vulnerability-coordination-maturity-model
3
4
Medical Device Vulnerabilities • Network-connected medical devices
infected or disabled by malware• Malware on hospital computers,
smartphones/tablets, and other wireless mobile devices used to access patient data, monitoring systems, and implanted patient devices
• Uncontrolled distribution of passwords• Failure to provide timely security
software updates and patches• Security vulnerabilities in off-the-shelf
software designed to prevent unauthorized device or network access
4
5
Executive Orders (EO), Presidential Policy Directives, and Framework to Strengthen Cybersecurity and
Critical Infrastructure• EO 13636 (Feb 2013)
“We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”• PPD 21 (Feb 2013)• National Institute of Standards and Technology (NIST) Voluntary Framework
(v1.0 - Feb 2014, v1.1 - draft Jan 2017)• EO 13691 (Feb 2015) – establishment of Information Sharing and Analysis
Organizations (ISAO)• EO 13800 (May 2017) - "Strengthening the Cybersecurity of Federal Networks
and Critical Infrastructure” www.fda.gov
6
FDA Cybersecurity History
Executive OrdersFDA Safety CommunicationDraft Premarket GuidanceBegin Coordination with DHSRecognize StandardsEstablish Incident Response Team
Final Premarket GuidanceMOU with NH-ISACPublic Workshop
Product-Specific Safety CommBuild Ecosystem/Collaboration
2013
2014
2015
2016
Draft and Final Postmarket GuidancePublic WorkshopMOU with NH-ISAC/MDISS
2017
2005: Issued guidance 2008: Halpern, et.al. 2009: Issued safety communication2011: “Hacking” of implantable insulin pump (Radcliffe)2012: First recall of vulnerable software (Roche - PC Anywhere)2013: Recall of TNS-listener (Roche)
Product-Specific Safety Comm
1st Cybersecurity WL
2018
7
FDA Cybersecurity Work Products
8
Key Medical Device CybersecurityMyth Busters
• Myth: Manufacturers are not permitted to make updates to devices for cybersecurity without going back to FDA first for “re-certification”
• Fact: Most medical device software changes made solely to strengthen cybersecurity do not require pre-market review or product recall (there are some exceptions).
• Myth: Cybersecurity of medical devices is voluntary for medical device manufacturers and not enforceable.
• Fact: Medical device manufacturers are required by law to comply with all applicable regulations, including the quality system regulations (QSRs). The pre-and post-market cybersecurity guidances articulate that a comprehensive, structured and systematic cybersecurity risk management program is necessary under the Quality System Regulation.
9
Premarket Cybersecurity Guidance• Draft June 2013• Final October 2014• Key Principles:
– 1) Shared responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices
– 2) Address cybersecurity during the design and development of the medical device
– 3) Establish design inputs for devices related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g)
www.fda.gov
10
Key Principles of FDA PostmarketManagement of Cybersecurity in
Medical Devices• Use a risk-based framework to assure risks to
public health are addressed in a continual and timely fashion
• Articulate manufacturer responsibilities by leveraging existing Quality System Regulation and postmarket authorities
• Foster a collaborative and coordinated approach to information sharing and risk assessment
• Align with Presidential EOs and NIST Framework• Incentivize the “right” behavior
www.fda.gov
11
Cybersecurity – Assessing Risk
Assessment of impact of vulnerability on safety and essential performance of the medical device based on:
• Severity of Patient Harm (if the vulnerability were to be exploited)
• Exploitability
www.fda.gov
12
Assessing Exploitability with Common Vulnerability Scoring System (CVSS)
CVSS – Common Vulnerability Scoring System https://www.first.org/cvss
• Establish a repeatable process by leveraging existing frameworks (e.g. CVSS)
Base Scoring (risk factors of the vulnerability)Attack Vector (physical, local, adjacent, network) Attack Complexity (high, low) Privileges Required (none, low, high) User Interaction (none, required) Scope (changed, unchanged)
Confidentiality Impact (high, low, none) Integrity Impact (none, low, high) Availability Impact (high, low, none)
Temporal Scoring (risk factors that change over time)Exploit Code Maturity (high, functional, proof-of-concept, unproven) Remediation Level (unavailable, work-around, temporary fix, official fix, not defined) Report Confidence (confirmed, reasonable, unknown, not defined)
13
Postmarket Cybersecurity Risk Assessment
www.fda.gov
14
Changes to a Device for Controlled vs. Uncontrolled Risk
Risk of patient harm
Controlled
Uncontrolled
Changes are Cybersecurity routine updates and patches, device enhancements
Meet three criteria:
1. No adverse events2. Remediate within timeline3. Active participant in an ISAO
Part 806 report (Reports of Corrections and Removals) not required
Yes
Yes
Distinguishing Medical Device Recalls from Medical Device EnhancementsISAO (Information Sharing and Analysis Organization)
No
Part 806 report required
Changes are Cybersecurity routine updates and patches, device enhancements
No
15
Lessons Learned—Evolving Our Thinking
• Coordinated vs. non-coordinated disclosure of device vulnerabilities– Ability to get to ground truth as fast as possible so that mitigations can be
proactively communicated and executed in a timely manner• JnJ Animas Insulin Pump
– Non-coordinated disclosure results in delayed assessments, communications, and mitigations
• St Jude/Abbott pacemakers and ICDs• Impact on HPH critical infrastructure and potential disruption of
clinical care– Patching operating system is not routine with safety-critical systems
• WannaCry Global Cyber Attack (May 2017)• Petya/notPetya (July 2017)
– Delays in diagnosis/treatment intervention can result in patient harm too• Potential for remote, multi-patient (i.e., scaled) attack of highest
concern for harm
www.fda.gov
16
Medical Device Safety Action Plan: Advancing Medical Device Cybersecurity• Update 2014 premarket guidance• Consider seeking additional premarket and postmarket
authorities to: – Require that firms build capabilities to update and patch device
security into a product’s design and to include appropriate data supporting this capability in premarket submissions to FDA for review
– Require firms to develop a “Software Bill of Materials” (SBOM) and to share with customers
– Require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified
• Request appropriations for seeding establishment of a CyberMed Safety (Expert) Analysis Board (CYMSAB) functioning as a public-private model, and serving the ecosystem as a neutral entity
www.fda.gov
17
Key Takeaways
• “Whole of community” approach: Collaboration is key• Security spans across the total product lifecycle• Impact on critical infrastructure within and across sectors• Shifting the mindset:
– Consider scenarios beyond “intended use”– Integrate threat modeling– Beware of using probabilistic determinations—these can
yield a false sense of security• Foster culture and create incentives that encourage
proactive behavior, especially for information-sharing• Major strides made AND acceleration necessary
www.fda.gov
18
Thank You!Contacts:
CDRH mailbox, [email protected] Schwartz, [email protected] Ross, [email protected] Dar, [email protected] Carmody, [email protected]
FDA Medical Device Cybersecurity Informational Webpage:https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm