The FDA and Postmarket Cybersecurity

The FDA issued an official FDA guidance on the management of Postmarket Cybersecurity in 2016.  This guidance provides recommendations for medical devices manufacturers, many of which are not yet widely adopted.  From Coordinated Disclosure, to ISAO’s, this post will attempt to summarize the guidance.

Some Background:

In the last few years, researchers have proven that thousands of hospitals and labs are in possession of medical devices that are vulnerable to hacking.  This has largely been due to the rising number of medical devices connected to the internet and, unlike sectors dealing with money (banks, investing, etc.), a lackadaisical attitude towards the cyber risk. Some medical devices were deployed with fixed passwords, or factory defaults that were never changed.  From infusion pumps, to CT scanners, many proved accessible by anyone within the hospital network, or sometimes, on the web.  

Below is a well known “word-cloud”  of default passwords to medical devices. To provide serviceability, the user manuals recommended their users not change the default password.  Consequently, thousands of devices were on networks, with authentication using default passwords shown below. These passwords were not secret or hidden, they are publicly available in the manuals:

Wordcloud of publicly avaiilable passwords
Wordcloud of publicly avaiilable passwords

Recent Events

Some of the more recent cyber related incidents for medical device cybersecurity include:

  1. Hospira Symbiq Infusion System – July 2015
    –  FDA issued advisory for hospitals to to stop using the pump, due to cybersecurity risk

  2. J&J Animas Insulin Pump – October 2016
    –  J&J advised to turn off wireless functions until patched.  Attacker could theoretically command pump to dispense arbitrary amount of insulin from 25 feet away

  3. St. Jude Pacemaker – August 2016
    –  Security firm reported ability to wirelessly control implanted pacemaker
    –  St. Jude stock dropped ~10%
    –  Ongoing investigations on validity of claim

To date, no-one is known to have been injured due to cybersecurity vulnerabilities in medical devices. But obviously, without addressing the risk, it is a ticking timebomb.

Federal Government Takes Notice

In early 2013,  President Obama recognized that Cyber threats to national security were among the most serious, and that secure and resilient infrastructure was essential.  Through executive order and policy directive, the Federal Government was asked to strengthen the infrastructure against cyber threats to critical infrastructure, including the public health sector.  The FDA subsequently released a premarket guidance, and more recently, a Postmarket Cybersecurity Guidance for Medical Devices in 2016.

U.S. Department of Homeland Security

FDA Postmarket Guidance

The FDA recognizes that an effective cybersecurity program needs to incorporate proactive postmarket vigilance and the management is the responsibility of the device manufacturer. Below are the identified critical program components:

  1. Establish and communicate a process for vulnerability intake and handling.
  2. Monitor information sources for vulnerabilities.  There are several sources of current information, and these should be regularly reviewed for applicability to the devices’ software packages.  Applicable patches should be applied, and generally do not require FDA notification.
  3. Adopt a Coordinated Vulnerability Disclosure (see below) policy and practice
  4. Define essential clinical performance and develop mitigations to protect safety critical functions, even upon security breach.
  5. Assess presence and impact of a vulnerability.  See if the disclosed vulnerability affects your devices’ risks, and if so, have procedures to respond and recover.  Deploy mitigations prior to exploitation.

What is a Coordinated Vulnerability Disclosure Policy?

A coordinated vulnerability disclosure program provides a method by which vulnerabilities can be reported to the manufacturer and subsequently handled.  It needs to provide the methodology by which anyone who finds a vulnerability can report it.  For example, if a researcher discovers a vulnerability, how does he or she report it to the manufacturer in a way for them to take notice?  A coordinated disclosure policy includes publicly available reporting instructions, and describes how that input is to be handled, and the risk controlled.

Why have a Coordinated Disclosure Program (besides that the FDA says to)?

  • Gives advanced notice of vulnerabilities
  • Better publicity control.  More likely for security researchers to work with you instead of against  you
  • Ultimately handling vulnerabilities makes patients safer.

Information Sharing and Analysis Organizations (ISAOs)

As part of the federal acknowledgement of the cybersecurity threat,  EO 13691 promotes private sector ISAOs to serve as focal points for cybersecurity information sharing and collaboration.  The FDA considers participation by manufacturers as critical, and has provided several benefits to those who are members.   For example, if a vulnerability is found, the manufacturer must report it to the FDA UNLESS all three of the below conditions apply:

  1. There are no known serious adverse events or deaths associated.
  2. Manufacturer implements controls within 30 days
  3. Manufacture is a participating member of an ISAO

ISAOs protect the privacy of individual members and preserve business confidentiality, safeguarding information being shared.

Need Help?

Our cybersecurity experts can help you! Postmarket Cybersecurity services, including help with a Coordinated Disclosure Program, and ISAO membership are part of our offerings. Our cybersecurity experts can help you!

Need help on this topic?
Contact Us
Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science  and following with  Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.  

Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

linkedin logo
16 Technology Drive, Suite 100
Irvine, CA. 92618, U.S.A.
linkedin logo
twitter logo
facebook logo
linkedin logo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485 and CyberMed • Cloud is SOC2 Type II certified.

American Systems registrarSOC2 Type 2 Logo