FDA Cybersecurity Workshop Looks to ‘Catalyze Solutions’

Posted May 23, 2017

“What now?”

That question was on the minds of many cybersecurity experts and healthcare technology professionals in the wake of this month’s WannaCry ransomware attack, now considered among the largest cyberattacks in history. But the cyberattack, which wormed its way into older versions of Windows to encrypt data and demand payment, is only the latest in a string of incidents.

The specter of WannaCry permeated a timely public cybersecurity workshop, Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis, which was convened to examine patient safety considerations, regulatory challenges, evaluation tools, communication methods, and more. The workshop was hosted by the Food and Drug Administration (FDA), National Science Foundation, and Department of Homeland Security May 18–19 at the FDA’s headquarters in Silver Spring, MD.

Pressing issues discussed at the workshop included who in a medical device ecosystem is accountable for cybersecurity, the challenges of managing legacy devices, monitoring for threats, and how to respond to cyberattacks. But it was information about device vulnerability—what to collect, how to share it, with whom, and how—that most concerned participants.

In particular, several experts wondered about the flow of cybersecurity vulnerability information from the medical device industry to hospitals, regulators, and other users of technology. While that information can help those stakeholders improve their security, it can also fall into the hands of those who would misuse it.

Participant Elisabeth George, vice president of global governmental affairs, standards, and regulations at Philips Healthcare, highlighted the lack of software information as a major concern, particularly a lack of disclosure in many medical device bills of materials management, which list the components that comprise a device.

“You can’t really support something if you don’t know what it’s made up of,” George said. “With the WannaCry ransomware, people are finding out that if you are using different versions of software operating systems, you either are or are not susceptible. If you don’t know what your device consists of, then you can’t know if your device is affected or not. When it comes to software vulnerabilities, we're also struggling with what information to share, who to share it with, and when.”

Small hospitals and clinical practices are the most at risk of cyberthreats going forward, as they often lack the means or expertise to prevent against cyberattacks, said presenter Kevin McDonald, director of clinical information security at the Mayo Clinic in Rochester, MN. But even large healthcare systems are challenged by the use of legacy devices. Many of them cannot be updated to protect against modern cyberthreats.

“We still have some systems running DOS,” said McDonald, eliciting a collective groan at the mention of the three-decades-old, text-based operating system. “Even if we wanted to―and could afford to―there are few secure devices to buy. ... Healthcare institutions are getting smarter but still have more work to pressure the market."

More than 300 medical technology and cybersecurity stakeholders participated in the FDA’s workshop, though participants publically called for greater hospital participation. The discussions and recommendations from the event will culminate with the publication of a report, anticipated later this year.

“The long-term goal of this workshop and subsequent report is to highlight regulatory science gaps in cybersecurity. We hope that a report in the public domain may catalyze solutions from others and form partnerships with stakeholders, including the academic community, third-party experts, other federal agencies, healthcare delivery organizations, and manufacturers. We want all manufacturers and patients to benefit,” said Dinesh Patwardhan, associate director of the Office of Science and Engineering Laboratories in the FDA’s Center for Devices and Radiological Health.

Healthcare technology cybersecurity will be a major area of focus at the June 9–12 AAMI 2017 Conference & Expo in Austin, TX, where cybersecurity expert Kevin Fu will deliver a keynote address. AAMI also has developed cybersecurity resources to benefit HTM departments and medical device manufacturers, available at www.aami.org/cybersecurity.

Wanted: Your Insights and Expertise

The fall edition of AAMI’s peer-reviewed journal supplement, Horizons, will focus on cybersecurity in healthcare technology. Submission categories include research papers, case studies, systemic reviews, and articles about trends in technology.

The submission deadline is July 15, and more details are available in the formal Call for Papers.

Interested authors may contact editor Gavin Stern with any questions at gstern@aami.org.