X

Ultra Electronics 3eTi

Cybersecurity for a New Type of Critical Infrastructure

February 1st, 2017 / By

Regulators Weigh in on Medical Devices

While the medical device as a cyber-attack target has increasingly concerned health regulators in recent years, the risk may come as news to many in traditional ICS infrastructure circles. For cybersecurity specialists focused on control systems that power electrical grids and transportation networks, priority status often goes to endpoints such as sensors and meters, not on pacemakers and insulin pumps.

It may be time to expand security strategies for critical infrastructure to include the digital frameworks interconnecting smart medical devices. On December 28, the Food and Drug Administration (FDA) published new guidelines to better manage cybersecurity for medical devices. As with regulatory direction in industrial and manufacturing automation, officials called device security a shared responsibility, focusing attention on postmarket security issues such as vulnerability response and remediation.

In discussing the guidance on FDA’s blog, the agency’s associate director for science and strategic partnerships said that cybersecurity threats are “real, ever-present, and continuously changing. In fact, hospital networks experience constant attempts of intrusion and attack that can pose a threat to patient safety.” This will sound very familiar to, among others, power plant operators.

Also noteworthy is FDA’s position that medical device manufacturers should implement a comprehensive program to manage cyber-risk. This means that manufacturers should:[1]

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices
  • Understand, assess and detect the level of risk a vulnerability poses to patient safety
  • Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)
  • Deploy mitigations (software patches, for example) to address cybersecurity issues before they can be exploited and cause harm

We applaud FDA for recognizing cyber-risk in the critical industry of medical devices, and for sponsoring coordinated and comprehensive action to mitigate potentially devastating cyber-threats. Those of us who have long advocated for such controls in industrial systems know the threat is real and how steep the road is to tackle it.

[1] FDA Voice: Managing Medical Device Cybersecurity in the Postmarket: At the Crossroads of Cyber-safety and Advancing Technology, Suzanne B. Schwartz, M.D., M.B.A., December 27, 2016.