PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover PDF Search Help Contact



FDA Still Lags in Cybersecurity .pdf


Original filename: FDA Still Lags in Cybersecurity.pdf
Title: https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/
Author: tdraschil

This PDF 1.5 document has been generated by PScript5.dll Version 5.2.2 / Acrobat Distiller 11.0 (Windows), and has been sent on pdf-archive.com on 22/04/2016 at 15:35, from IP address 50.79.x.x. The current document download page has been viewed 596 times.
File size: 211 KB (6 pages).
Privacy: public file




Download original PDF file

FDA Still Lags in Cybersecurity.pdf (PDF, 211 KB)







Document preview


Document

Page 1 of 6

Related Articles: 4

This copy is for your personal, non-commercial use. For high-quality copies or
electronic reprints for distribution to colleagues or customers, click here or call
+1 (908) 547-2200 .
Printed by Mr. Norm Rabin, Maetrics LLC

FDA Still Lags In Cybersecurity Game,
Expert Says
By Ferdous Al-Faruque / Email the Author
Features & Analysis / Word Count: 2147 / Article # 01160425004 / Posted:
April 19 2016 4:45 PM

Executive Summary
A cybersecurity expert who works with hospitals to protect systems and
devices from network attacks welcomes FDA's efforts to boost regulations
around medical device cybersecurity, but says the agency should have made
more of a push seven years ago when Microsoft announced it was no longer
going to support Windows XP and Windows 7.

Over the past few years FDA has made a strong push to bolster cybersecurity on
connected medical devices, but an expert who has been working with health-care
providers to update their systems for vulnerable devices says the agency is long
overdue in that effort.
FDA has stepped up its call to get manufacturers to be more aware of potential
cybersecurity vulnerabilities on their devices and ensure security throughout a
product's lifecycle. In this effort, the agency has held several workshops, published
a premarket guidance and, more recently, released a draft guidance on postmarket
considerations for medical device cybersecurity. (See "Responding To
Cybersecurity Threats: FDA Addresses Postmarket Questions In Draft Guidance"
— "The Gray Sheet," Jan. 20, 2016.)

Medical Device Hackers Now
Deemed Allies By FDA, Industry
“The Gray Sheet” Mar. 29, 2016
Responding To Cybersecurity
Threats: FDA Addresses
Postmarket Questions In Draft
Guidance
“The Gray Sheet” Jan. 20, 2016
FDA Outlines Agenda For
Cybersecurity Workshop
“The Gray Sheet” Jan. 11, 2016
FDA Warns Of Hacking Threat
From Hospira's Symbiq
“The Gray Sheet” Aug. 3, 2015

Topics Covered in
this Article
Click a keyword for related
articles.
General Topics
Digital health
Subjects
Bioterrorism
Business Models
Business Strategies
Legal Issues
Platform Technologies
Regulatory
Industries
Medical Devices
Companies
Pfizer Inc.
Hospira Inc.

Despite these actions, Mick Coady, a principal with PricewaterhouseCoopers, says
FDA is at least seven years behind in its push for improving device security.
Coady specifically is referring to the time
since Microsoft decided to stop issuing
security patches for its aging Windows

Older devices that run on
Windows 7 and Windows XP

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/17/fda-still-lags-in-cyb... 4/22/2016

Document

XP and Windows 7 operating systems.
"That's when FDA should have been
ahead of this because a lot of the
operating systems that are tied to
medical device systems are running on
XP and Windows 7," he said. Older
devices "are completely open to
vulnerabilities and attacks, and basically
what we have to do on the provider side,
on the hospital side, is create network
segmentation areas" to isolate the
vulnerable products.

Page 2 of 6

"are completely open to
vulnerabilities and attacks,
and basically what we have
to do on the provider side,
on the hospital side, is
create network
segmentation areas," PWC's
Mick Coady says.

Coady says he often works with hospitals to retrofit the facility's computers to
handle older and more vulnerable medical devices
, but some device systems
simply can't be retrofitted.
He says in the past year he has worked with six hospitals where they were unable
to retrofit the system for vulnerable medical devices and because they couldn't
upgrade the operating systems that run the devices. Rather, they created layers of
firewalls to limit access and prevent potentially malicious hackers from taking
control of them.
The other option is for the hospital to upgrade to Windows 10 or another operating
system and discontinue using unsupported medical devices. "In certain cases you
have to dump an enormous amount of money to buy the newer versions, and
hospitals are not budgeting for that," Coady said.
Coady equates the current situation to the Y2K scare of the late 1990s wherein, due
to a lack of foresight, computers were at risk of crashing when the clock rolled over
to Jan. 1, 2000. In that case there were industrial control systems that had to be
patched to prevent them from failing, but the situation with medical device
vulnerabilities doesn’t seem to be treated as seriously today.
Because many older medical devices run on outdated Windows systems, they can't
be patched because they are no longer supported by Microsoft even when a
vulnerability is detected.

Sharing Responsibility
Cybersecurity vulnerability was listed as a major concern in
PricewaterhouseCoopers' recent report on top issues in 2016 to look out for in the
health-care industry. Some analysts have even warned that a major cybersecurity
hack on medical devices could harm patients this year. (See "FDA Outlines Agenda
For Cybersecurity Workshop" — "The Gray Sheet," Jan. 11, 2016.)
FDA has been increasing its focus on cybersecurity of medical devices for several
years now, but the issue has really come to the forefront in the past year with
hackers finding vulnerabilities in several medical devices. This includes Hospira
Inc.'s Symbiq infusion pump, the subject of the agency's first safety alert over a
potential cybersecurity vulnerability. (See "FDA Warns Of Hacking Threat From
Hospira's Symbiq" — "The Gray Sheet," Aug. 3, 2015.)

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/17/fda-still-lags-in-cyb... 4/22/2016

Document

Page 3 of 6

The agency says so far no one to their knowledge has been harmed by these
vulnerabilities, but Coady says he has heard of at least one case in Tennessee
where a morphine drip pump was hacked by a family member that could have
accidentally killed a patient.
Seth Carmody, a reviewer in FDA's Office of In Vitro Diagnostics and Radiological
Health, says he has not heard of that incident. He stressed that FDA encourages
people to report "near misses" where a potential vulnerability could be a safety risk,
in addition to actual adverse events that result from the exploits of medical device
vulnerabilities.
In general, Carmody reemphasized the ongoing cultural change at FDA to tackle
cybersecurity threats on medical devices, and in particular the agency's emphasis
on brining all stakeholders – including health-care providers, manufacturers and
hackers – together to work. (See "Medical Device Hackers Now Deemed Allies By
FDA, Industry" — "The Gray Sheet," Mar. 29, 2016.)
"We are faced with a different environment today – a health-care environment that
is under constant attempts at intrusion and attack from a number of motives," he
said. "Meeting these challenges warrants a shift in mindset, one that incorporates
threat modeling as an integral part of risk assessment."
To tackle these threats, Carmody says all stakeholders need to be vigilant about
threat monitoring and practice good cyber hygiene on their devices. He stresses
that it is important for industry to quickly respond to potential vulnerabilities and
provide remediation.
Also based on their latest postmarket draft guidance
, the agency is encouraging
manufacturers to develop vulnerability disclosure policies and to engage in
coordinated disclosure with health-care delivery organizations and cybersecurity
researchers.
PWC's Coady, however, is skeptical that the emphasis on sharing responsibilities is
working. He is concerned that device-makers are not so invested in helping deal
with potential vulnerabilities and patch older, more vulnerable devices as they are
marketing newer products that don't have such security concerns.
"At the end of the day there are some [manufacturers] trying to do the right thing
and get things back in order, but it's kind of in its infancy," he said. "I would say in
the next 18 to 24 months you're going to see this space explode quite a bit."
Coady says there are numerous medical device vulnerabilities that can easily be
found via the site Shodan
, which is a search engine that allows people to find
reported vulnerabilities on different kinds of industrial controls systems. He thinks
manufacturers should keep an eye on it, and is surprised that FDA officials aren't
already taking advantage of the site based on his conversations with them to track
down devices with potential security loopholes.

Building Responsibility Into
Contracts

Devices Held Hostage?

A major issue when discussing how to
make sure devices continue to remain
safe from security vulnerabilities is

Another grave area of concern has
been the rise of ransomware
attacks on hospital systems where

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/17/fda-still-lags-in-cyb... 4/22/2016

Document

figuring out who bears responsibility for
updating and patching them. PWC's
Coady says responsibility should be with
the manufacturers. He says FDA has
given device-makers a lot of leeway to
update their products, but they tend to
push that responsibility onto health-care
providers.
"If you have a software contract with
Microsoft or Oracle in your licensing
agreement, you pay 18 percent in
maintenance, and the upgrades and
updates come for free," said Coady.
"That is not the case in the medical
device world because in certain cases
you may have to retrofit or even buy a
new device to fix the problem or update
the problem as a security issue. So
they're kind of holding the hospitals to a
certain degree at ransom in some cases."
Coady emphasizes the manufacturers
are not wholly to blame and some do try
to be responsible by working with healthcare providers to update their products.
But, in the end, the providers should build
the cost of updating medical devices into
their contracts with manufacturers, he
says.
He knows of at least one case wherein
the chief information officer working for a
hospital in the Middle East wrote that
responsibility for manufacturers into the
contract when buying a Picture Archiving
and Communication System (PACS) for
his hospital. That executive has since
moved to a hospital system in Virginia
and is implementing the same language
for new purchases.

Page 4 of 6

malicious hackers have been able
to infiltrate electronic health records
and encrypt them. The hackers
then order hospitals to pay a
ransom in order to provide the
password to the hospitals to
release those records
"The biggest thing that I think is
going to occur is where
ransomware and Stuxnet meets in
the middle," cautions Coady.
Stuxnet is a malicious worm that is
suspected to have been created by
the US and Israeli governments to
put Iran's nuclear reactors out of
commission. While the worm was
reportedly successful toward that
goal, it accidentally spread to other
computers around the world,
putting other types of industrial
control systems in danger.
"If you look at how ransomware can
creep and slide into an
environment, and because of its
stealth, it doesn't mean they can't
target or redesign the vectors and
targets on the medical devices in
no time at all. The payload on Stunt
could cause some pretty serious
damage," Coady warned.
He can foresee a scenario wherein
hackers install ransom ware on
medical devices and threaten
hospitals, manufacturers and even
patients that they will shut down
those devices if they aren't paid a
ransom.

As medical device cybersecurity
concerns escalate, Coady also says device companies and operating system
developers like Microsoft and Oracle should be talking more about how they intend
to continue updating those systems.
FDA's Carmody recently spoke at an eHealth Initiative meeting where he floated the
idea of medical device companies actually developing their own open-source
operating system. He emphasized later to The Gray Sheet that FDA has authority
over how operating systems on medical devices are regulated.

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/17/fda-still-lags-in-cyb... 4/22/2016

Document

Page 5 of 6

"We regulate medical devices that use a variety of operating systems," he said. "We
look at how the device performs using the specific operating system chosen by the
manufacturer and outlined in the submission."

Enforcing Better Cybersecurity
FDA is working on developing more guidances for medical device cybersecurity, but
hospitals are insisting the agency already has regulations in place that it isn't
enforcing, Coady says. One example, he notes, is FDA has allowed manufacturers
the ability to update their operating systems without recertification, but because it is
a recommendation rather than a requirement companies don't always do so.
"They need an enforcement body, and I
don't know who that is, or what it is, or if
they create one themselves, but that's
what's lacking with the FDA right now,"
he said.
Carmody insists FDA already has
enforcement authority over the
cybersecurity of medical devices when
there is a safety concern – and is willing
to use it.

"I'm not out here to be a
scaremonger, but I work in
security for a living. I'd
rather come to you and say,
'Look we know it's a
problem, let's start talking
about some solutions,'"
PWC's Coady says.

"The cybersecurity postmarket draft guidance announced earlier this year is
consistent with the agency’s Quality System Regulation
," he said. "Any
manufacturer not in compliance with FDA's Quality System Regulation is in violation
of the [Food Drug and Cosmetics] Act and the FDA can take appropriate action, as
necessary.
"We also work closely with other agencies, including [the Office of Civil Rights] and
[the Office of the National Coordinator for Health Information Technology], in
addressing cybersecurity management of medical devices," he added.
Coady is also surprised that FDA has not hired security researchers to oversee
review of medical devices. In a recent conversation with The Gray Sheet, Suzanne
Schwartz, associate director for science and strategic partnerships at FDA's Center
for Devices and Radiological Health, said the agency has no current plans to hire
hackers to help oversee medical devices.
However, during their March Medical Device User Fee Act IV negotiations, FDA did
request additional funding for digital health that includes salaries for employees to
tackle review of medical device cybersecurity. The agency would not comment if
that meant hiring security researchers.

Fixing It Before It Breaks
For now, Coady says hospitals are probably going to stick with the approach of
responding to medical devices that are incapable of being retrofitted by putting them
behind layers of firewall to cordon off those devices from potential intrusions.
"I don't think the manufacturers are going to do anything else other than tell you
that's the way you've got to approach it," he said. "I'll be honest with you, they're not
really providing much help. I think the hospitals are taking the initiative themselves."

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/17/fda-still-lags-in-cyb... 4/22/2016

Document

Page 6 of 6

He stresses that hospitals need to establish a set of rules that allow access to the
devices through their own protocols. "I'm not out here to be a scaremonger, but I
work in security for a living," Coady said. "I'd rather come to you and say, 'Look we
know it's a problem, let's start talking about some solutions.'"
*Follow Ferdous (Danny) Al-Faruque @alfaruque
This copy is for your personal, non-commercial use. For high-quality copies or
electronic reprints for distribution to colleagues or customers, click here or call
+1 (908) 547-2200 .
Printed by Mr. Norm Rabin, Maetrics LLC

Copyright (c) 2016 Informa Business Intelligence, Inc., an Informa Company. All rights reserved. No part of this article
may be reproduced in any form or incorporated into any information retrieval system without the written permission of the copyright owner.
Online/print subscriptions, reprints, and web posting and distribution licenses are available.
Contact us at (888) 670-8900
, +1 (908) 547-2200
, or clientservices@pharmamedtechbi.com.

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/17/fda-still-lags-in-cyb... 4/22/2016


Related documents


fda still lags in cybersecurity
cyber security threats
eu trails fda in device cybersecurity
https www pharmamedtechbi
nih highlights advanced imaging
cdrh prioritizes leveraging realword and patient data


Related keywords