FDA Workshop Tackles Ongoing Cybersecurity Concerns

Posted February 5, 2019

On its first day of business following the 35-day government shutdown, the Food and Drug Administration (FDA) brought together medical device manufacturers, healthcare delivery organizations (HDOs), researchers, patients, and other stakeholders for a public workshop focused on what FDA Commissioner Scott Gottlieb called one of the agency’s “most critical device safety challenges and priorities”—cybersecurity.

“As we’ve seen in recent years, the threat of cybersecurity attacks is not theoretical. The risk of patient harm either from a ransomware attack that threatens hospital operations or a hack that compromises a patient’s device is a very real concern,” Gottlieb said. “But we know that the solutions to these challenges are not straightforward. Like the technology itself, there is not a one-size-fits-all approach to address these issues” due to the variety of device designs, environments, and uses.

The workshop sought feedback on the FDA’s premarket draft guidance, which was released last October to help manufacturers incorporate cybersecurity best practices into the design of their medical devices. Crucially, the draft guidance recommends including a cybersecurity bill of materials (CBOM), which details the software and hardware components of a device that are susceptible to cyberattacks.

“Particularly in response to the WannaCry ransomware attack in 2017, we realized that a major challenge to efficient and timely threat response was that device users didn’t know what they had. By providing [a] bill of materials, manufacturers will deliver much-needed transparency” that enables users to evaluate their devices and mitigate risks, Gottlieb said.

Participants at the meeting discussed the content, benefits, and risks of CBOMs, including how to make this cybersecurity information most useful to the end user. Additional topics included methods to assess vulnerabilities, threat modeling, and communicating cybersecurity principles to both clinicians and patients.

“Many HDOs are not equipped with dedicated staff or tools to put the software bill of materials (SBOM) or CBOM document into much use. They do not have the capability to track their assets on a software component level basis,” said Priyanka Upendra, compliance program director of technology management at Banner Health, who attended the workshop. “HDOs and the overall HTM community would greatly benefit from a step-by-step process to consume the SBOM/CBOM, better understand how the software works, troubleshoot common problems, and manage and remediate a risk in a timely manner.”

In addition to working with medical device manufacturers, HDOs, and the public, the FDA said it is teaming up with “white hat” hackers (also called “ethical hackers”) by supporting the DefCon 2019 Biohacking Village through the launch of its #WeHeartHackers campaign and website. Attendees of the Jan. 29–30 meeting cheered the FDA for this collaborative approach to tackling such a complex and fast-moving problem.

“We have come a long way—but still have quite some way to go,” said Axel Wirth, distinguished technical architect at Symantec and member of the BI&T Editorial Board, who attended the meeting. “I applaud the FDA for the continued effort to lead the charge as they have done for the past several years. The challenges will continue to grow due to changing care delivery models (home care) and changes in technology (mobiles, cloud). Unfortunately, our challenges are the adversaries’ opportunity.”

The FDA is seeking comments on its draft guidance until March 18.