In an effort to make the rapidly growing world of medical devices more transparent and secure, the Food and Drug Administration (FDA) published a new set of recommendations this month.
"There is no such thing as a threat-proof medical device," Dr. Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health, said in a press release. "It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks."
In the new guidelines, the FDA suggests steps to protect devices that contain software, including firmware or programmable logic, or that act as a medical device. This month, the agency plans to hold a public workshop to discuss the topic further.
To safeguard patients and their data, the FDA advocates that developers take the following precautions:
- Identify assets, threats, and vulnerabilities.
- Assess the impact of threats and vulnerabilities on device functionality and end users.
- Rate the likelihood of a threat or vulnerability being exploited.
- Determine risk levels and mitigation strategies.
- Assess residual risk and risk acceptance criteria.
[Medical devices are not immune to hacker attacks. Read FDA Pushes To Improve Medical Device Security.]
Today 47% of healthcare providers and payer respondents have integrated consumer products such as wearables or operational technologies such as automated pharmacy-dispensing systems, according to a PwC report. But only 53% implemented security controls for these devices, the study found.
But according to some, the FDA's guidelines are too little, too late.
"The FDA's recently released guidelines for medical device security focus largely on securing the device at the point of manufacture. Ask any IT administrator tasked with BYOD security, and they'll tell you device security isn't the answer," Ryan Kalember, chief product officer at WatchDox, told InformationWeek. "As with the BYOD challenge, it's not the device that's at risk; it's the data. Health data isn't going to stay on the device forever. To be useful, data must be accessed, analyzed, and reported. And data is far more vulnerable when it's in transit from the device to a web-based dashboard, for instance. For that reason, I do not think the FDA's approach will be adequate in protecting healthcare companies from security breaches."
Chris Petersen, chief technology officer and co-founder of LogRhythm, said the FDA waited far too long to release these guidelines. "Healthcare providers are not unique in having applied the majority of their security focus on keeping adversaries out, focusing less on internal defenses. This typically means, once an adversary is in, they find themselves within a highly vulnerable environment they can further exploit," he said.
"What is unique to healthcare environments are the number of IP-connected medical devices that typically have not been hardened to withstand cyberthreats -- at all. Manufacturers of medical devices have focused first on delivering to the needs of the patient. Securing these devices from advanced threats has not been a mandate and is typically not a focus. The FDA's guidance puts a focus on devices going forward, but it doesn't address the millions of IP-enabled devices currently in operation across healthcare networks globally."
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep getting your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail (free registration required).