Expert: FDA Cyber Guidance For Medical Devices Needs More Work

The FDA's pending guidance for post market cyber security needs more work to be effective says University of Michigan Professor Kevin Fu.
The FDA’s pending guidance for post market cyber security needs more work to be effective says University of Michigan Professor Kevin Fu.

In-brief: A prominent expert in medical device security has warned the FDA that its draft guidance for post market medical devices is too focused on stomping out known threats, and not enough on addressing current and future risks to the security of healthcare environments.

The U.S. Food and Drug Administration (FDA)’s draft cyber security guidance to healthcare organizations and medical device makers is in danger of treating the symptoms, but not the disease, according to a leading expert on the security of medical devices and healthcare organizations.

In a letter to Dr. Suzanne Schwartz, the FDA  Director Emergency Preparedness/Operations and Medical Countermeasures  dated April 21 (PDF), Dr. Kevin Fu of the University of Michigan said that pending FDA guidance on managing post market cybersecurity vulnerabilities in medical devices is too focused on stomping out known threats and not enough on addressing cyber security risk to medical environments. Fu blogged about his recommendations here.

Fu said more work needs to be done to make the FDA guidance risk- rather than threat based.  Otherwise: the U.S. government and healthcare organizations risk falling victim to what Fu termed “the street light effect,” Namely: focusing resources on fighting security threats where it is easiest (that is: where they’ve already been identified) rather than all the different places that cyber risk might exist.

For example, Fu notes that the FDA’s proposed guidance refers to “network connected”
and “connected” several times. But that simply narrows the scope for would-be defenders in a way that’s arbitrary. “The document ought instead refer to ‘exposure to cybersecurity risks,'” Fu writes. “The former terms treat symptoms whereas the more technically correct phrase I suggest focuses on outcomes.”

Fu is a professor at The University of Michigan and co-founder of the firm Virta Labs.
Fu is a professor at The University of Michigan and co-founder of the firm Virta Labs.

The FDA released its so-called “post market” guidance for review in January, following the approval of similar guidance for so-called “pre-market” devices that are under development by device makers in October, 2014. Unlike the premarket guidelines, however, the new document covers a huge population of medical software and hardware that is already in use at medical facilities across the country.

Once approved, the post market guidance will be non-binding. However, it acts as a guidepost for medical device manufacturers as well as for customers and private sector security researchers who find vulnerabilities in medical devices.

In its initial form, the FDA guidance calls on medical device manufacturers to “implement comprehensive cybersecurity risk management programs” that include a way to handle complaints from customers and researchers, conduct quality audits of post market devices, perform software validation and risk analysis on medical devices and take corrective action to address known flaws.

Priority should be given to vulnerabilities that “may permit the unauthorized access, modification, misuse or denial of use of devices” or provide unauthorized access to information stored on the device or transferred from it, the FDA recommends.

Among other things, medical device manufacturers are advised to adopt a “coordinated vulnerability disclosure policy and practice” akin to what many software firms have implemented in recent years. Device makers are also urged to participate in an information sharing and analysis organization (ISAO) akin to those in the banking, energy and (more recently) automotive sectors.

The draft guidelines have been lauded by lawmakers. In a letter to Dr. Schwartz, Representative James Langevin (D-RI) called the post market guidance an important step in adapting the regulatory environment to the “new reality” of connected health devices and the Internet of Things.

“The postmarket guidance should prove particularly effective due to its emphasis on risk-based
cybersecurity,” Langevin wrote.

[Read more Security Ledger coverage about medical device security here.]

But Fu, an internationally recognized expert on the security of medical devices, is an Associate Professor of Computer Science & Engineering at the University of Michigan, isn’t as sure. Using an analogy from the medical world, Fu notes that epidemiologists don’t issue separate guidance for preventing influenza infections “by sneezing” versus “by cough.” The focus, in stead, is on outcomes: preventing influenza from spreading, period. Similarly, he says, “the FDA guidance document on post market cybersecurity should not focus on modality of an infection vector, but rather outcomes.”

In his letter, Fu praised the FDA for “waking up from its cyber slumber in the 2000s” and coming up with “meaningful cybersecurity guidance with specific responsibilities assigned to specific stakeholders.”  Still, he voices concern about a number of elements of the guidance.

On the issue of ISAOs, Fu notes that information sharing isn’t a panacea: especially when the information shared has a low value. In some cases, ISAOs can even inhibit progress on cyber security, if they prompt healthcare organizations to dress up their security for the benefit of the ISAO, rather than wade in and resolve stubborn or complex issues. “I recommend caution and skepticism when enrolling and periodically reviewing the effectiveness of ISAOs,” Fu wrote.

Similarly,  the post market guidance says little about two major sources of insecurity within the healthcare sector: post market software updates from medical hardware and software vendors and from third-party vendors such as support organizations. At the recent South by Southwest Conference, for example, John Halamka, the Chief Information Officer of  Boston’s Beth Israel Deaconess Hospital related a story about a medical records system that became infected by way of a support technician’s laptop. As written, the FDA guidance would do little to address such (common) threats.

“The guidance should include language that acknowledges the risks of unauthentic (sp) software updates, not limited to downloaded updates (since physical installation media can carry malware) and not limited to the devices being updated,” he wrote.

Fu worries that the current document’s backing of established information security practices like “network monitoring” are inadequate to the task of assessing post market cyber security risks – the equivalent of ‘fighting the last war’ rather than the next one. He recommends that the FDA should adhere to NIST cybersecurity guidance for critical infrastructure, which focuses on enumerating cyber security risks first and then deploying technology controls that match those risks. Finally: continuous measurement of security controls is needed to keep environments secure, given that the security landscape of software vulnerabilities, malicious actors and deployed software and hardware constantly changes.