Posted 18 May 2017
By Michael Mezher
The US Food and Drug Administration (FDA) on Thursday kicked off a fortuitously-timed public workshop on medical device cybersecurity, the agency's third on the subject to date.
At the workshop, FDA officials, representatives from industry and researchers are trying to determine the current gaps in regulatory science as it relates to cybersecurity with the aim of coming up with fixes for those gaps down the road.
FDA's previous cybersecurity workshops in October 2014 and January 2016 focused on collaborative efforts on cybersecurity, such as information sharing and vulnerability disclosure and discussing FDA's guidance documents on pre- and postmarket cybersecurity.
"What a week to pick to have the cybersecurity workshop, certainly very topical," said Edward Margerrison, director of the Office of Science and Engineering Laboratories at the Center for Devices and Radiological Health (CDRH), referring to the "WannaCry" ransomware that struck computer systems around the world last Friday.
"This is certainly not a theoretical issue for us. This is real and it's here today," Margerrison said.
Going forward, Suzanne Schwartz, associate director for science and strategic partnerships at CDRH, said the regulatory science tools the agency develops must "be proactive and … set up in a way that enables anticipating what the regulatory and public health issues are."
"The events of the past week, the global impact of cyberattacks on critical infrastructure, the vulnerabilities of medical devices on connected systems, and the real-time difficulties that healthcare provider organizations have in guarding against these kind of attacks … bring this message home to us today," Schwartz said.
In the course of a few days, some 300,000 computers in more than 150 countries were hit by WannaCry, and while the attack did not target healthcare systems, hospitals were among the most heavily impacted by the attack.
The attack also marked a turning point for medical device cybersecurity. On Wednesday, Forbesreported that a Bayer radiology device was infected with the ransomware. Bayer confirmed to Forbes that it received two reports from customers that its devices were affected by the ransomware, but did not specify the model of the devices.
The WannaCry attack highlighted a number of critical challenges for device makers, many of which were brought up during the workshop.
One issue is that medical devices often have a lifecycle that is much longer than the support offered for software applications. For instance, the vulnerability WannaCry targeted was patched by Microsoft in March, but only for supported systems, so computers running older operating systems, such as Windows XP, were left unprotected.
"When I worked in the aviation world, if you had gone into Boeing and suggested Windows XP operating systems in display units in their cockpit they would throw you off. They understand the lifecycle of an aircraft is 25 or 30 years," said Ken Hoyme, director of product and engineering systems security at Boston Scientific.
"We need to think about operating systems that can be long-term supported, that can be much simpler than the complexity we put in. With complexity comes vulnerabilities [and] the need to patch more often," he said.
The settings medical devices are used in also play a significant role in how secure they are.
Kevin McDonald, director of clinical information security at the Mayo Clinic, said that most healthcare systems don't have the time, money or resources to address cybersecurity on their own.
According to McDonald, medical devices are the "weakest link" across Mayo Clinic's enterprise security devices, because updating, patching and replacing the thousands of devices the clinic uses presents a major undertaking. However, McDonald said he has 13 people on staff who specifically deal with medical device cybersecurity, while some small hospitals may not have anyone on staff with that level of focus or expertise.
"We still have some stuff with DOS," he said, referring to Microsoft's long defunct Disk Operating System first released in 1981 and discontinued in 2000.
However, even if a vulnerability is patched, distributing that update poses other challenges. There may be downtime associated with installing the update, and the update itself could introduce new issues.
Hoyme also questioned where to draw the line for "break glass" or fail-safe modes on devices to bypass certain security authentication. On the one hand, such systems provide a way for healthcare providers to quickly use a device in an emergency situation, while on the other it introduces a security vulnerability that could potentially be exploited.
"Does providing a break glass mechanism provide a mechanism to bypass security altogether and introduce harm?" Hoyme asked, raising the question of how such mechanisms could be put in place while still maintaining security.
Experts at the workshop will continue to discuss these issues on Friday, and FDA says it plans to publish a report on findings from the workshop sometime in late 2017.