Medical device cybersecurity is becoming an increasingly important issue for both healthcare providers and device manufacturers.

Moreover, the FDA recently released draft guidance on how medical device manufacturers must monitor, identify and address cybersecurity vulnerabilities. While directly related to manufacturers, Russell Jones, partner in Deloitte’s Cyber Risk Services group, told HealthITSecurity.com that both manufacturers and healthcare providers should still take the time to understand the FDA guidance.

The 90-day comment period is currently underway, he added, and it could be greatly beneficial to the healthcare industry as a whole for both sides to ensure they comprehend what it means to them and overall cybersecurity.

“One of [the FDA’s] key themes is collaboration,” Jones explained, adding that this is also stemming from an FDA workshop held a few weeks ago. “Industry wide collaboration is needed to solve this cybersecurity problem with network connected medical devices.”

That collaboration needs to take place between device manufacturers, the federal government, and healthcare providers, he added. Hospitals, health systems, and even security researchers should also be involved because everyone needs to be working collaboratively in order to solve potential data security issues.

Important draft guidance takeaways

The concept of essential clinical performance is one of the main concepts in the medical device cybersecurity guidance, according to Jones, and this is one area where many of the comments on the guidance will focus on.

While not a “new” concept for device manufacturers, it is a new concept with security folks who are charged with medical device security.

“The FDA has left it up to the manufacturers to define it for their devices, but it’s a key concept because then in the guidance it talks about determining if you have controlled or uncontrolled risk,” Jones said.

Organizations need to go through their regular risk assessment process under ISO 14971, which is a risk management standards needed for medical devices. However, Jones explained that as it relates to security, the draft guidance is more specific with controlled or uncontrolled risk.

“In this case, imagine there’s a vulnerability with a particular device, and [a manufacturer] goes through their risk assessment process, figures out the root cause, and comes up with a plan to address it. They might make a patch or a workaround, and then they determine if there’s residual risk.

If there’s too much residual risk and it’s uncontrolled, it takes you down a path where you’ve got to report under part 806, which is also nothing new. But again, it is for security, and for people that own security now within device manufacturers.”

Jones also pointed out a type of “safe harbor” that’s provided in the guidance for manufacturers. However, three criteria must be met in order for this to occur.

First, there must be no known injuries or deaths associated with the uncontrolled vulnerability. Second, the device manufacturer must identify and implement a fix or a work around within 30 days of identifying the vulnerability. The third piece of criteria is that the device manufacturer be a member of an Information Sharing and Analysis Organization (ISAO).

“The FDA is saying that if you meet these three criteria, you won’t be required to report under part 806,” Jones explained. “They’re saying that within the 30 days of learning a vulnerability exists, then the manufacturer comes up with a fix. Whether it’s compensated controls or a workaround, there is something to bring the residual risk down to what they call controlled risk now.”

A final important takeaway under the draft guidance is that manufacturers need to participate in an ISAO.

“The collaboration comes from the sharing of those vulnerabilities and the threat indicators and how manufacturers are fixing them with the broader community of an ISAO,” according to Jones. “That’s where the real collaboration comes in. That’s why I think they created this safe harbor, to basically get more adoption of this guidance.”

Why the mindset needs to change on collaboration

When it comes to medical device manufacturers, there seems to be a movement toward adopting better cyber hygiene and best practices, according to Jones, regardless of organization size.

In terms of some of the larger organizations though, Jones stated that there is movement over the last year towards trying to start to adopt best practices. Moreover, there is a movement towards having a more formal approach to security within the overall product development life cycle.

While nothing is perfect, he maintained that it was moving in the right direction.

“On the other end of the spectrum, I think there are a lot of manufacturers out there that aren’t really aware of what’s going on,” Jones admitted. “Or even if they are aware, they don’t have the resources or the finances to be able to really address this in a way that’s going to become part of the DNA of how they’re doing product development.”

It is also important to bring in individuals who have cybersecurity expertise. From there, participating in groups like NH-ISAC will be beneficial.

“It’s a huge cultural shift,” Jones said. “Especially when you get down to the product development teams and the engineers, software developers, etc. When you get it down to that level, it’s a difficult shift.”

The product team level is where the largest struggles are being seen, according to Jones.

“The manufacturers that have actually formalized those industry leading practices and tools, and are then trying to drive it down into the actual product development team, engineering level. That is a huge change management issue.”

Advice for device manufacturers and healthcare providers

Medical device manufacturers should definitely participate in one or more of the current collaborative efforts in the industry, Jones urged.

“Whether it’s NH-ISAC or another one, there is already a group of medical device manufacturers or healthcare providers that have come together trying to work through these problems, and then develop standards and guidance for the industry.”

Additionally, manufacturers need to have someone formally on point for product security for their devices. That individual should then report high enough up in the organization to actually have the authority to implement leading industry practices. From there, those practices can be driven down all the way to the product development teams or engineering groups, he said.

Healthcare providers should also participate in an industry group so they can provide better input to the manufacturers, according to Jones, saying that some of his device manufacturing clients would love to hear that type of feedback.

“The engineering teams that are actually designing these devices, they would love to have direct input from say someone from the clinical engineering department at a major health system, or one of their customers,” he maintained. “They’d love to get that direct input on their needs from a security perspective, and hear their challenges in the actual operating environment as input to how they design security for the device.”