Commentary: Postmarket Management of Cybersecurity in Medical Devices
Over the last 18 months, an alarming number of medical device companies’ challenges with data security have been exposed.
In 2015, Hospira’s LifeCare PCA3 and PCA5 devices were found to have security vulnerabilities that prompted a recall. In 2016, St. Jude’s Merlin@home™ remote cardiac monitoring devices were found to require security updates after research firm MedSec found dangerous snags that could possibly lead to patient harm. While these security issues were discussed publicly in the press, one can only imagine the conversations behind the scenes at other medical device vendors around the country.
This increased concern about cybersecurity for medical devices prompted the Food and Drug Administration (“FDA”) to release a guidance document entitled “Postmarket Management of Cybersecurity in Medical Devices”. While some device vendors have assumed that the “guidance” nature of this document makes its recommendations optional, the FDA has taken the position that device manufacturers are required to ensure the safety and efficacy of medical devices in the face of this evolving cybersecurity landscape. Therefore, if a vendor is choosing not to follow this guidance, it must have another cybersecurity strategy with similar efficacy in order to avoid regulatory scrutiny.
It’s important to note that many of the recommendations in the guidance document will not come naturally to medical device vendors. These companies have long enjoyed “security through obscurity”, and haven’t made security a core component of their product development process.
For example, the FDA currently gives preferential regulatory treatment to device companies participating in “threat sharing” through an Information Sharing and Analysis Organization (“ISAO”). Vendors are encouraged to share information about security breaches and vulnerabilities with other healthcare technology companies. But vendors have traditionally viewed this data as competitive intelligence, and have actively shielded their security challenges from both the public and their competitors. It will take a new perspective on data security and liability among device executives and their legal teams in order to comply fully with the FDA’s ISAO recommendations.
The FDA also advises that device vendors enhance their products to proactively detect cybersecurity threats, and to produce “forensically sound evidence capture” in the case of a security breach. This kind of technology is non-trivial, and is not part of a medical device company’s core competencies. Device vendors will need to turn to companies focused on this area of cybersecurity for assistance to meet this goal.
Finally, the FDA would like manufacturers to have a process to assess cybersecurity vulnerabilities “horizontally (i.e., across all medical devices within the manufacturer’s product portfolio and sometimes referred to as variant analyses) and vertically (i.e., determine if there is an impact on specific components within the device).” A given device vendor may have dozens of products with multiple applications, each with different technology stacks and software dependencies. Tracking known vulnerabilities across these portfolios will require tracking tools not historically common within medical device vendors.
MedCrypt was founded in 2016 to help medical device vendors defend against the threats of an evolving cybersecurity landscape. Our software security framework allows companies to easily integrate financial-grade security into their medical devices and to know which vulnerabilities are present in any of their products in real-time.
With new technologies, device vendors can now detect suspicious behavior and create a record of transactions between users and devices that can analyze cybersecurity incidents in a forensically sound way. Medcrypt’s cross-vendor transaction monitoring allows users to anonymously share threat data with the healthcare community, satisfying the FDA’s request for ISAO participation, and in turn, gain regulatory advantages associated with this participation.
At MedCrypt, we are eager for the day when medical devices are as safe from cybersecurity threats as common financial transactions. Unfortunately, this era of uncertainty and misinformation is likely to lead to continued breaches, as the industry scrambles to catch up.
Guest Blog Post By: Mike Kijewski, Co-Founder and Chief Executive Officer, MedCrypt
This post was written by Mike Kijewski