Medical Device Cybersecurity: Are you Prepared?
February 14, 2023By Theodore Thompson, J.D., R.A.C.
Medical device manufacturers form part of the first line of defense that health delivery organizations (HDOs) rely upon to manage and combat a cybersecurity attack.
"[C]yber risks are increasing constantly" due to the interconnectedness of the complex systems we rely on for our everyday needs.[1]
- Puesh Kumar, the director of the US Department of Energy's Office of Cybersecurity, Energy, Security, and Emergency, National Public Radio interview on January 30, 2023.
Due to the healthcare industry's increasing reliance on complex computer systems and connected networks in the healthcare space, cybersecurity incidents will result in disruptions to patient care. According to the FDA, the increase in the exchange and sharing of medical device-related health information highlights the critical need for robust cybersecurity controls to ensure medical device safety and effectiveness.[2]
On November 14, 2022, the FDA and MITRE[3] published an updated Playbook titled: Health Delivery Organization (HDO) Medical Device Cyber Incident Preparedness and Response Ver. 2.0 (or "Playbook").[4] The Playbook focuses on "preparedness and response for medical device cybersecurity issues that impact the functionality of a device." [5]
Although the Playbook's intended audience is HDOs, medical device manufacturers form part of the first line of defense that its customers (HDOs) rely upon to help manage and combat a cybersecurity attack.
Below we've summarized the updated Playbook and compiled a list of key takeaways for medical device manufacturers.
Preparedness: How can HDOs (and device makers) prepare for a cybersecurity attack?
The Playbook recommends that HDOs take the following steps to prepare for a cyber-attack:
- HDOs should catalog the different sources of cybersecurity risk (e.g., number of networked devices, security controls needed to gain access, type of operating systems used, state of the operating systems, the status of known vulnerabilities, etc.).[6]
-
- The inventory should include such information as the equipment/name and location, the device's logic location (e.g., IP address, physical port or wireless access point connection(s)), device owner and manager, interaction with other devices, device status, and additional information which may be crucial in remotely or physically accessing the device.[7]
- The risk inventory provides a framework for a cybersecurity incident response to facilitate a rapid recovery to normal operations after an incident occurs.[8]
- That HDOs assess medical device cybersecurity risks during the device procurement process.
-
- After all, an ounce of prevention is worth a pound of cure. This may include securing a commitment from the manufacturer to participate in security exercises at the HDO.[9] This could troubleshoot not only possible cybersecurity threats but also strengthen the relationship between the manufacturer and HDO for the time when an actual incident occurs.[10]
- HDOs should arrange for real-time assistance from the manufacturer ahead of any cybersecurity incident.
-
- This puts an expectation on manufacturers to remain vigilant of cybersecurity threats that might single out their devices (a practice which they should already be doing) and be ready to provide cybersecurity support, potentially at any time of day or night and certainly without prior notice.
- HDOs should prepare for routing communications in the case of a cybersecurity incident.
-
- Points of contact outside of the organization (e.g., FDA, device manufacturer) should be pre-established and disseminated to the members of the HDO's HIMT.
- HDOs should be aware of the address: CyberMed@fda.hhs.gov as a point of contact with the FDA if no other information is available.[11]
- So, even without a previously negotiated agreement between the HDO and the device manufacturer, manufacturers should be aware that FDA may call upon them to provide support, a call which they are advised not to send to voicemail.
- Therefore, manufacturers should be prepared to have cybersecurity staff available to provide around-the-clock support for their devices, either in-house or through a contractor.
- HDOs should consider developing pre-prepared templates for communications to affected system users and other internal staff (e.g., HIMT members, C-suite, managers, system owners), external business associates, internet service providers, public announcements about the incident, regulatory or compliance communications, and more.[12]
-
- Manufacturers might also want to heed this recommendation: they are interested in disseminating their messaging in case of a cybersecurity incident affecting their devices. They might want to have pre-prepared communications ready for such an occurrence.
Detection and Analysis: What Happens Once an Incident Has Been Identified?
Cybersecurity incidents come without prior announcements. Even after an incident is identified, it may be challenging to determine whether an attack occurred and, if so, what happened. Identifying a cybersecurity incident is a necessary first step to detection and analysis. Manufacturers should be prepared to work with HDOs in analyzing and assessing the suspected incident they are observing. An organization might ask: was the incident the result of a system malfunction or human error instead of a targeted act? How did the incident arise? What tools were used to detect the incident? Have regional parties noticed the same or similar experiences on their networks? Have cyber information or watchdog groups noticed anything similar?[13]
Once the incident has been identified, it should be classified to understand the scope of the response. The factors that are reviewed when classifying the response include:
- Potential number of affected parties;
- Potential to spread to unaffected systems;
- Previous experience in mitigating this type of incident;
- Potential for damage or loss;
- Short and long-term business impact.[14]
The outcome of the incident classification drives the response to the incident: more severe responses require rapid activity and more significant effort than a lower-risk incident.
An essential part of the response is communication with the stakeholders. Internal communications are necessary to coordinate a response, and communications outside the HDO to the FDA, affected users, and the US Cybersecurity & Infrastructure Security Agency (CISA) may also be required.[15]
Anything in this section that device makers should pay attention to? Let's focus on that aspect.
Containment, Eradication, and Recovery: What Actions Need to be Taken to Address the Incident?
The Playbook recognizes that many HDOs use a "contain, clean, and deny" approach to dealing with cybersecurity incidents. These actions are meant to stop the incident, contain any damage it may have caused, and restore network function as quickly as possible.[16] "Containment begins with the HIMT activation and execution of the [Emergency Operations Plan]."[17] There are several different considerations for an HDO to factor into their response, including:
- Is there a way to test the device and confirm its safety after the threat has been contained?
- Can the device be safely used if removed from the network?
- Could the manufacturer, or another party (e.g., a capital equipment leasing company), provide loaner devices?
- Who can fix the problem, and how long will it take them? Does the organization have the internal resources to address the problem?
- Have the affected devices caused any "collateral damage" to the broader network?[18]
Eradication may be specific to the affected device and the type of network intrusion. In other words, there is no "one-size-fits-all" approach. The Playbook also instructs HDOs to anticipate longer timelines for recovery and mitigation, which the incident may require.[19] In the recovery phase, manufacturers should consider working not only with the HDOs directly impacted by the incident but also with other HDOs using their devices that were not directly impacted or targeted by the attack.
Post-Activity: What Happens Next?
Even after all containment, eradication, and recovery activities have been completed, there is still work to be done. Amongst other things, a firm should evaluate the following:
- What happened and when?
- How well was the plan implemented? How well did it work? What could have been done better?
- What was needed sooner?
- How was information shared between groups that needed it? How could this be improved upon in the future?
- What were the early indicators of the incident? How could these be monitored in the future?[20]
The evaluation results and the items learned should be re-directed to the EOP to facilitate a future response to a cybersecurity incident and improve the HDO's cybersecurity preparedness.
Manufacturers' work is not finished, however. Suppose it was not possible to do so while implementing the security fix. In that case, the manufacturer should conduct a risk assessment of the change to ensure that this newly identified risk is accounted for and that any software update does not adversely affect the device; any identified risks should be documented and remedied (if possible). The manufacturer should also submit any necessary change to the FDA for further review (e.g., new 510(k), PMA 30-Day or 180-Day supplement) and document changes in the design history file for both 510(k) and PMA devices, if necessary.
In summary, the relationships an HDO may build with regional partners, and the internal plan it creates to deal with a cybersecurity incident can lay a solid foundation and prepare the organization for a rapid response when an attack occurs. An organization needs to create a plan that addresses its particular circumstances as comprehensively as possible. The Regional Incident Preparedness and Response Playbook can guide creating or updating an organization's cybersecurity incident response plan.
Key Takeaways for Medical Technology Companies:
- Embed cybersecurity into the company's culture and Quality Management System (QMS) and design controls processes.
- Adhere to FDA Quality System Regulations (QSR) and guidance related to cybersecurity in medical devices.
- Incorporate cybersecurity risk in every phase of the device design and development process.
- Train applicable staff on cybersecurity risks and mitigations related to the company's products so that staff may be prepared to help HDOs and patients in case of a cybersecurity incident affecting the manufacturer's product.
- Be well-prepared for questions from customers and potential buyers of your device.
- Device makers should expect cybersecurity questions in the early stages of the procurement or vendor onboarding process with HDOs.
- Also be prepared to answer questions regarding any suspicious activity after deployment. Some might be benign, some might not.
- Be a partner in mitigating cybersecurity risks.
- Be open and prepared to collaborate in security exercises as required by the HDO.
- Expect to provide cybersecurity support related to the company's products, as needed.
- Be ready.
- HDOs will contact manufacturers for assistance with cybersecurity risks, questions, and incident response plans.
- The FDA may contact device makers if cybersecurity support is needed.
- Companies should review their incoming communication channels processes to ensure that if FDA or an HDO reaches out, the message would get to the appropriate person/team at the company promptly.
- Plan ahead.
- Medical device manufacturers should consider drafting pre-prepared templates that are ready to be used in the case of a cybersecurity incident.
- Identify members and roles of your cybersecurity incident response team ahead of any incident.
- Develop a plan for communicating, analyzing the incident, and responding to it that can guide your team during an incident.
- Follow QMS requirements.
- If software fixes or other device design changes are needed to address cybersecurity risks, the company should follow its Quality Management System and FDA regulations.
- Conduct regular risk assessments to ensure that any new or increased risks are accounted for in the device risk management file.
- Evaluate and submit post-market device changes to FDA for approval, where required.
[1] Recent attacks on electric substations have the Department of Energy concerned. https://www.npr.org/2023/01/30/1152448772/recent-attacks-on-electric-substations-have-the-department-of-energy-concerned. Last accessed February 2, 2023.
[2] FDA Guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. https://www.fda.gov/media/119933/download
[3] MITRE is a non-profit organization that runs several federally funded research and development centers (FFRDC), including the CMS Alliance to Modernize Healthcare, the National Cybersecurity Center of Excellence, and the Homeland Security Systems Engineering and Development Institute.
[4] The Playbook is available here: https://www.mitre.org/news-insights/publication/medical-device-cybersecurity-regional-incident-preparedness-and-response
[5] Playbook at 2.
[6] "Conducting a thorough device inventory and developing a baseline of medical device cybersecurity information are the first steps in developing a cybersecurity preparedness and response framework." Id at 25.
[7] Id. at 9.
[8] Id. at 4. Internal preparation for an HDO includes creating a cybersecurity component to the Hospital's Incident Management Team (HIMT). Including Information Security Officer (ISO) and Chief Information Officer (CIO), as well as including specialized staff to act as cybersecurity liaisons with outside organizations, could result in quicker resolution of cybersecurity incidents and faster decision-making in critical situations.
[9] Id. at 7.
[10] Id.
[11] Id. at 14-15.
[12] Id. at 16-17.
[14] Id. at 19.
[15] Id. at 20-21.
[16] Id. at 22.
[17] Id.
[18] Id. at 22-23.
[19] Id. at 23.
[20] Id. at 24. These considerations, and more, were adapted from the National Institute of Standards and Technology (NIST) publication NIST SP 800-61r2, available at: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final.
Need help?
Information provided on this website is not legal advice. Communications sent to or from this site do not establish an attorney-client relationship. © 2023 Gardner Law. All Rights Reserved.