SESSION ID: PS-W01 Safety Implications of Medical Device Cybersecurity Suzanne B. Schwartz, MD, MBA Director, Office of Strategic Partnerships & Technology Innovation Food and Drug Administration suzanne.schwartz@fda.hhs.gov © 2020 The MITRE Corporation. All rights reserved. Approved for Public Release: 20-0468. Distribution Unlimited. Margie Zuk Senior Principal Cybersecurity Engineer The MITRE Corporation mmz@mitre.org #RSAC #RSAC The products we regulate… 2 #RSAC Bottom Line Up Front (BLUF) “Whole of community” approach: Collaboration is key Security spans across the total product lifecycle Impact on critical infrastructure within and across sectors Shifting the mindset: – Consider scenarios beyond “intended use” – Integrate threat modeling – Beware of using probabilistic determinations—these can yield a false sense of security (avoid ‘likelihood’) Foster culture and create incentives that encourage proactive behavior, especially for information-sharing Major strides made AND acceleration necessary 3 #RSAC Framing the Issue Connected medical devices, like all other computer systems, incorporate software that are vulnerable to threats We are aware of cybersecurity vulnerabilities and incidents that have directly impacted medical devices or hospital network operations When medical device vulnerabilities are not addressed and remediated, they can be exploited which can result in: – patient harm – serve as access points for entry into healthcare delivery organization (HDO) networks May lead to compromise of confidentiality, integrity, and availability 4 #RSAC Shared Responsibility External Stakeholders Manufacturers DHS ISAOs Professional Societies Security Researchers Patients FDA Clinicians 5 Health Care Facilities Medical Device Cybersecurity Background • Contain configurable embedded computer systems • Increasingly interconnected • Wirelessly connected • Legacy devices • Varied responsibilities for purchase, installation and maintenance of medical devices, often silo-ed • Variable control over what is placed on the network • Inconsistent training and education on security risks 6 #RSAC #RSAC Medical Device Vulnerabilities • Network-connected medical devices infected or disabled by malware • Malware on hospital computers, smartphones/tablets, and other wireless mobile devices used to access patient data, monitoring systems, and implanted patient devices • Uncontrolled distribution of passwords • Failure to provide timely security software updates and patches • Security vulnerabilities in the off-the-shelf software that is designed to prevent unauthorized device or network access 7 #RSAC CDRH* Cybersecurity History 3rd Public Workshop 1st Cybersecurity WL Postmarket Draft & Final Guidance 2nd Public Workshop MOU with NH-ISAC/MDISS Safety Comms Medical Device Safety Action Plan Draft Premarket Guidance Regional Playbook DHS MOA 2017 2016 2015 2014 2013 2018 Product-Specific Safety Comm Build Ecosystem/Collaboration 2019 4th public workshop Defcon Biohacking Village PEAC meeting In progress: Update Premarket Cybersecurity Guidance CVSS medical device rubric Legacy device strategy Final Premarket Cybersecurity Guidance MOU with NH-ISAC 1st Public Workshop Executive Orders *Center for Devices and Radiological Health 8 #RSAC Key Principles of FDA Premarket Cybersecurity Guidance Shared responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices Address cybersecurity during the design and development of the medical device Establish design inputs for devices related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g) 9 #RSAC Key Principles of FDA Postmarket Management of Cybersecurity in Medical Devices Use a risk-based framework to assure risks to public health are addressed in a continual and timely fashion Articulate manufacturer responsibilities by leveraging existing Quality System Regulation and postmarket authorities Foster a collaborative and coordinated approach to information sharing and risk assessment Align with Presidential EOs and NIST Framework Incentivize the “right” behavior 10 #RSAC Postmarket Cybersecurity Risk Assessment 11 Lessons Learned—Evolving Our Thinking #RSAC Coordinated vs. non -coordinated disclosure of device vulnerabilities – Ability to get to g