Be vigilant with your medical device cybersecurity
An article featuring the FDA’s new draft on the guidance of the “Postmarket Management of Cybersecurity in Medical Devices??? has recently been published. With this document, device makers are educated in what the government agency expects regarding security updates and patches for medical devices that are in-market. It also includes a few “goodies???, including:
• Reduced reporting requirements to the agency
• Options to disclose vulnerabilities without taking on additional litigation
This new FDA policy is “consistent with that found in other industries as part of the U.S. Government’s push to secure ‘critical cyber infrastructure’. Throughout many businesses, the infrastructure lies in private hands and in order to improve the cooperation between public and private sectors, Congressional and Presidential actions have been taken.
A few examples of security jargon that you may want to know before reading the new draft from the FDA include:
• CERT – Computer Emergency Readiness Team; the branches of the Department of Homeland Security that are responsible for securing U.S. interests from hacking and other IT-based attacks.
• ICS-CERT — a specialist group—that concentrates on industrial control systems.
• ISAO or ISAC – Information Sharing and Analysis Organization/Committees. Industry-specific, non-profit organizations whose members get together to share information about securing technology.
• NH-ISAC – the National Healthcare ISAC, with which the FDA has a special partnership and device makers are encouraged to join.
• Vulnerability – a weakness in a segment of technology or a process surrounding it that could be used to cause harm.
• Threat – when someone (a “threat actor???) exercises a vulnerability to cause harm.
• Exploit – a specific instance of a threat actor exercising a vulnerability.
• Remediation – when a manufacturer, vendor or organization does something to fix (temporarily or permanently) a vulnerability.
• Risk – roughly the likelihood of a threat being realized times the impact of that threat. For example, if a rare circumstance results in a device to causing a patient’s death the risk would be low x catastrophic, or high. On the other hand, if a thermometer’s battery runs out and a patient is unable to get a reading, the risk is moderate x low, or merely very moderate. Not all risks are equal, and neither are all devices.
• VSSv3 – the Common Vulnerability Scoring System. This is the “security Richter scale??? that rates vulnerabilities from 0 to 10 based on a number of factors. Rule of thumb: if it’s 7 or up, it needs to be remedied quickly.
• Controlled Risk – when the risk is within the “acceptable??? range.
• Uncontrolled Risk – when the risk is in the “unacceptable??? range.
• Cybersecurity Routine Updates and Patches – updates released by a device manufacturer to close vulnerabilities in an in-market medical device.
• Essential Clinical Performance – the definition of what the device must do to meet the clinical objectives.
Click here to read the entire PDF on the FDA’s guidance.