The FDA, among other agencies, is hosting an event called Collaborative Approaches for Medical Device and Healthcare Cybersecurity. It’s a first step toward bringing together cybersecurity researchers, medical device manufacturers, healthcare providers, and others to get on the same page in addressing medical device cybersecurity. 220 people showed up in person – capacity of the event – and another 1,100 to watch the version via webinar. The fact that the workshop is happening, and that the turnout is so large, are already signs that the discussion and the industry are going in the right direction.
From the outset the tone was open and positive. Suzanne Schwartz a Director at the Center for Devices and Radiological Health (CDRH) at the FDA, and host for the event, made three key points in her opening statement.
- With increasing adoption of cyber technology there is an increased risk of cybersecurity incidents.
- With increased connectivity comes increased exposure to cyber threats.
- We have a shared ownership and responsibility of these risks with other stakeholders, and want to be proactive. The way forward is collaboration and leadership.
These common sentiments were echoed throughout the workshop by other panelists and speakers. And they’re very similar to what I Am The Cavalry has been saying for a long time, meaning we’re on the right track and in good company.
The FDA made it clear they are not looking to impose a new regulatory regime. Their goal is to leverage their role as regulator to enable a sustainable, self-healing medical device ecosystem. They said they want to work toward a future where medical devices are the most securable in the healthcare environment.
The keynote for Day 2 was Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator. His thesis was that the problems of cybersecurity are multi-faceted, and that the solutions must be as well. Economic, political, educational, psychological, and technical – but not insurmountable. A point well taken, and one that reinforces what we’ve been working toward.
Several speakers and presenters noted that vulnerabilities exist in all software. Security researchers finding these vulnerabilities is a good thing and leads to better protection. Manufacturers are on a learning curve to figuring this out similar to the one the software industry took over the last 30 years. More companies are overcoming the tendency to react to researchers by calling their legal teams, and are instead calling their security teams.
It seems we are making progress toward mutual empathy, rather than enmity. Developing formal and informal relationships – the kind that this workshop facilitates – allows us to understand one another better. This understanding others’ environments, motives, cares, limitations, etc. helps us drive towards better outcomes sooner.
A few statements and sentiments I pulled from the conversations are below.
- When you have an implantable medical device, will your doctor one day scan you for malware when you come in for a checkup?
- FDA field agents need better data logging and evidence capture to be able to investigate safety issues.
- We need better ways of tracking cybersecurity failures and their impact on patient care.
- If the success of your security program is dependent on the goodwill of strangers you’ve got the wrong program. It should be based on sound engineering and development principles.
- Doing security well doesn’t have to be expensive. Video games and mobile devices have very low security costs, but are very effective at keeping determined attackers out.
- You must be sure – not just assume – that medical devices can withstand the potentially hostile environment they are subjected to. Unknown and unanticipated conditions ARE the baseline environment.
- Contracting and procurement are the surest ways to drive vendors toward better cyber safety in their medical devices.
- Software supply chain is a known problem and solution. You have to verify the components that go into building your devices, not just assume they’re safe.
- Security often comes down to a series of small decisions along the way that are equivalent in most ways. One choice is demonstrably more secure than another. If decision-makers aren’t well informed, they’d have to be incredibly lucky to make the more secure choice every time. Luck isn’t enough when it comes to patient safety.
- The current security philosophy and corporate IT implementation isn’t just going to fail, it jeopardizes human life and public safety.
- We must begin to optimize our security programs for patient safety outcomes, rather than financial risk. That goes for manufacturers and healthcare providers.
- “If you focus on patient safety, everything else falls into place.” -Julian Goldman, Partners Healthcare