November 20, 2018 | Don DeLoach
Responding to the FDA’s guidelines on cyber security measures for medical devices
If a group of people sitting in a bar in Dallas speak about the Super Bowl outlook for the Cowboys, where each participant is able to rattle off statistics down to the blocking effectiveness of the offensive tackle, the perspective is obvious to them because they live this every day. They know it.
In the cybersecurity world, many of us have been saying, for some time now, that the market is making security a key factor in the equation; that it is no longer an afterthought where “good enough” is fine. But one security person speculating to another hardly ratifies the market direction. In fact, the market direction has to be supported by data points that define that direction ranging from increases in spending to increased prominence in products coming to market to actions such as regulatory bodies coming forward with requirements. Let’s be honest, regulatory authorities are not generally regarded as first movers, so when we see these kinds of signs, then perhaps the market really is waking up to make security a priority.
It is. This past week the Food and Drug Administration published a 24-page draft guidance, “Content of Premarket Submissions for Management of Cyber Security in Medical Devices.” And while the document contained many items, the key message was clear: the medical device industry needs to make security a priority.
For those of us in the market, this is a welcomed sign. It also makes complete sense. We are moving to an increasingly cyber-physical world. As the effectiveness of the devices, and the broader device ecosystems increases, so does our reliance on them and our expectations of the value they bring. But all of that rests on our ability to trust the devices. Trust is the ultimate enabling, or disabling factor. This seems to be well understood in the FDA guidance. The FDA had previously issued final guidance in 2014 but notes that the “rapidly evolving landscape, and the increased understanding of threats and their potential mitigations” necessitated an updated approach. Yay for the home team! They are right on this one.
Guidance for Connected Devices
The guidance splits the devices into two categories, with the key one being where the device is capable of connecting to another medical or non-medical product network or the internet; and a cybersecurity incident affecting the device could directly result in harm to patients. This makes common sense, but so do laws providing safeguards to keep the banking system from imploding. Common sense is not always the underpinning.
We have evolved, but not fast enough. Many of the medical devices in the market today are small, battery-powered devices with low processing power. These tend to be less secure, for the moment. In this regard, the insulin pump or the pacemaker might be viewed the same way as the tire valve on the SUV or the thermometer in the aquarium in the casino. Who would want to hack into those? How much security do those types of devices really need? But when the SUV is overtaken, and the Casino central database gets hacked, and the culprits are the tire valve and the thermometer, it becomes clear that the devices viewed as innocuous from a security standpoint are, in fact, necessary.
So when you then think about the importance of medical devices and the harm that can come to people when security is overlooked, it becomes clear that this needs to be taken seriously. The patient in the hospital might be easily hacked from two floors below. We are apparently concerned about state-sponsored attacks on our government, so why wouldn’t we be worried about attacks on our government officials, or everyday citizens? The FDA recognized this and published the guidance to push the market to shore up the security on medical devices.
A Layered Security Approach for Low-Power Devices
Included in the guidance are 14 specific recommendations, some that are particularly telling. There is a recommendation that includes providing a Cybersecurity Bill of Materials (CBOM). This would consist of a list of commercial, open source, and off-the-shelf software and hardware components to enable device users to manage their assets and identify vulnerabilities of the device effectively. It also speaks to the ability to deploy countermeasures to maintain the device’s essential performance. We think the industry will ultimately move to a best practice of implementing a layered security model.
There are many places in the overall ecosystem where security is deployed. There is the physical device itself. There is the communication channel, or channels, between the device and the first receiver of the data coming from the device. Other devices might interact with the device. There are the consuming applications that receive data from the device. Throughout the ecosystem there are a variety of security measures that can be taken. But going back to the device itself and common device characteristics, if the device is small, battery powered, and has limited processing power, then the security measures need to be in place to address this.
In particular, there needs to be reliable data encryption in place for the data as it’s created and as it is transferred to other destinations. This process should provide this capability regardless of the network used or the protocols required. As the data gets to the gateway or the cloud, additional security will likely be added. But the process has to start where the data is created. And the security measures must also be conducive to the operation of the device. If adding the security means you have to replace the battery once a week, that’s not really practical.
The Security Solution Already Exists
All of this, however, can be done today. CENTRI Technology provides this with our Protected Sessions product. There are other mechanisms in the market as well, although we proudly believe our approach is optimal. And it can be delivered as part of a layered security model, which is what we should be expecting. The medical device manufacturers will likely take this very seriously. We are involved in projects that are already doing this.
No medical device company CEO wants to read about their devices getting hacked on the cover of the Wall Street Journal. We expect the majority of these companies are extensively planning for increased FDA scrutiny of the cybersecurity protections of devices that they have in development. They will assume the specific regulations to evolve along these lines. In fact, as the understanding of the range of solutions regarding layered security models become better understood, along with increased knowledge of capabilities of products like Protected Sessions, many of these companies will also seek to retrofit existing products with more advanced capabilities in the short run.
That’s an easy win for them, That’s an easy win for everyone.
Thanks for reading,
Don DeLoach is the President and COO at CENTRI. Connect with him on LinkedIn.