CDRH has scheduled a cybersecurity workshop entitled, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity,” on January 20-21, 2016 (see here for the Federal Register announcement).
Background and Workshop Context
As we discussed in a previous blog post, cybersecurity vulnerability is an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. Cybersecurity vulnerabilities may result in device malfunction, interruption of healthcare services including treatment interventions, inappropriate access to patient information, and breached electronic health record data integrity.
In the Federal Register announcement for the workshop, FDA states protecting the Healthcare and Public Health (HPH) critical infrastructure from attack by strengthening cybersecurity is a “high priority” of the Federal Government. For example, two recent Executive Orders (here and here) address enhancing cybersecurity infrastructure and increasing cybersecurity information sharing. Additionally, Presidential Policy Directive 21 states that the Federal Government shall work with the private sector to manage risk and strengthen the security and resilience of critical infrastructure against cyber threats.
Given this context, FDA, other governmental agencies, and public/private partnerships have sought to address cybersecurity vulnerability in recent years. For example, last year, CDRH finalized its guidance for industry entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” Also in 2014, the National Institute of Standards and Technology (NIST) published a voluntary, risk-based framework focusing on enhanced cybersecurity. According to FDA, the HPH sector has utilized the framework to help manage and limit cybersecurity risks.
At the public workshop, CDRH hopes to address vulnerability management throughout the medical device total product lifecycle. According to the Federal Register announcement, vulnerability management includes: analyzing how a vulnerability may affect device functionality, evaluating the vulnerability effect across product types, and selecting temporary solutions that may be employed until a permanent fix can be implemented. Vulnerabilities can be identified by the device manufacturer or external entities, including healthcare facilities, researchers, and other sectors of critical infrastructure.
The Agency believes an important component of vulnerability management is coordinated vulnerability disclosure (also known as responsible disclosure). Under coordinated vulnerability disclosure, all stakeholders agree to delay publicizing vulnerability details for a certain period of time, while the affected manufacturer works to rectify the vulnerability.
Further, CDRH states that one of the tools medical device manufacturers or healthcare facilities may use to evaluate and manage vulnerability is the Common Vulnerability Scoring System (CVSS). CVSS is a risk assessment tool that “provides an open and standardized method for rating information technology vulnerabilities.” CDRH notes, however, that CVSS does not directly incorporate patient risk and public health impact factors.
CDRH states that it hopes to address the following general themes during the workshop:
- Envisioning a roadmap for coordinated vulnerability disclosure and vulnerability management as part of the broader effect to create a trusted environment for information sharing.
- Sharing FDA’s current thinking on the implementation of the NIST framework in the medical device total product lifecycle.
- Adapting cybersecurity and/or risk assessment tools such as CVSS for the medical device operational environment.
- Adapting and/or implementing existing cybersecurity standards for medical devices.
- Understanding the challenges that manufacturers face as they increase collaboration with external third parties (cybersecurity researchers, Information Sharing and Analysis Organizations (ISAOs), and end users), to resolve cybersecurity vulnerabilities that impact their devices.
- Gaining situational awareness of the current activities of the HPH sector to enhance medical device cybersecurity.
- Identifying cybersecurity gaps and challenges that persist in the medical device ecosystem and begin crafting action plans to address them.
Persons interested in attending the workshop must register online by January 13, 2016. Public comments concerning the workshop’s objectives or general themes can be submitted online or by mail.