Statement from FDA Commissioner Scott Gottlieb, M.D. on FDA’s efforts to strengthen the agency’s medical device cybersecurity program as part of its mission to protect patients
The threat of cyber attacks is no longer theoretical. Cyber criminals and adversaries can inflict significant harm on networks through relatively simple methods, like emails or bugs known as malware.
In recent years, we’ve witnessed the far-reaching and negative consequences of successful cyber campaigns on organizations. Victims include financial institutions, government agencies, and now health care systems. Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted.
As the number of cyber attacks has increased, we’ve heard concerns about the potential for cyber criminals to attack patient medical devices. Cybersecurity researchers, often referred to as “white hat hackers” have identified device vulnerabilities in non-clinical, research-based settings. They’ve shown how bad actors could gain the capability to exploit these same weaknesses, thereby acquiring access and control of medical devices. The FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient. But the risk of such an attack persists. And we understand that the threat of such an attack can cause alarm to patients who may have devices that are connected to a network. We want to assure patients and providers that the FDA is working hard to be prepared and responsive when medical device cyber vulnerabilities are identified.
At the FDA, we‘ll continue to put protecting patients at the forefront of what we do. Today, we are building on a foundation of shared responsibility with our stakeholders. In coordination with the MITRE Corporation, we’re announcing the launch of a cybersecurity “playbook” for health care delivery organizations that’s focused on promoting cybersecurity readiness. We’re also announcing the signing of two significant memoranda of understanding. These agreements bring together multiple stakeholders to allow for increased information sharing and transparency around cybersecurity risks.
Securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder—manufacturers, hospitals, health care providers, cybersecurity researchers and government entities – all have a unique role to play in addressing these modern challenges. That’s why the FDA has long been committed to working hard with various stakeholders to stay a step ahead of constantly evolving cybersecurity vulnerabilities. In this way, we can ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate.
Our Center for Devices and Radiological Health (CDRH) has taken a holistic, systematic approach to building our medical device cybersecurity program, as well as creating an environment where industry and other stakeholders understand the importance of this shared responsibility.
The FDA’s work in this area dates back to 2013, when we established the foundations of our medical device cybersecurity program. We created a Cybersecurity Working Group within CDRH that’s well-poised to respond to concerns and actively addresses the need for new approaches and new policies. We also established a framework to address cybersecurity regulatory considerations which, taken together, represent our recommendations for product developers at each stage of a product’s life cycle.
Our premarket guidance identifies issues manufacturers should consider in the design and development of their medical device to ensure their product adequately addresses cybersecurity vulnerabilities. Our postmarket guidance outlines a risk-based framework manufacturers should use to ensure they can quickly and adequately respond to new cybersecurity threats once a device is in use. The FDA’s policy leverages the National Institute for Standards and Technology’s Framework for Improving Cybersecurity of Critical Infrastructure. This underscores the importance of adoption by medical device manufacturers of the Framework’s five core functions – identify, protect, detect, respond and recover. The FDA does not compartmentalize its premarket and postmarket activities, nor assess them in isolation.
The premarket guidance was finalized in 2014. In the coming weeks, we plan to publish a significant update to that guidance to reflect the FDA’s most current understandings of, and recommendations regarding, this evolving space. For instance, the new draft guidance will highlight the utility of providing customers and users with a “cybersecurity bill of materials” – a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device customers and users are able to respond quickly to potential threats. We look forward to comments from stakeholders on the updated recommendations and how the FDA can continue to advance our regulatory approach to keep pace with changing cybersecurity risks.
Beyond our own policies, the FDA works proactively to create an environment of shared responsibility with diverse stakeholders, including other government agencies, industry, health care delivery organizations, cybersecurity researchers and others. These collaborations include actions through public-private coordinating councils and engagement directly with industry and patients alike.
Our efforts have yielded tools to advance cybersecurity awareness and readiness. For example, we’ve supported the development of a tool to help health care delivery organizations (HDOs), such as hospitals, better respond to medical device cybersecurity incidents. Following recent cybersecurity attacks, the FDA recognized a need to close a gap in HDO readiness and response tactics to incidents or exploits affecting medical devices. Today, I’m pleased to announce that the MITRE Corporation, with support from the FDA, released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. The playbook describes the types of readiness activities that’ll enable HDOs to be better prepared for a cybersecurity incident involving their medical devices. These include steps such as developing a medical device inventory and conducting training exercises. The goal is to give product developers more opportunity to address the potential for large scale, multi-patient impact that may raise patient safety concerns. The FDA also developed our own internal playbook to help our staff address cybersecurity threats, vulnerabilities and incidents. Our internal playbook establishes an effective and appropriate incident plan that’s flexible and clear. It aims to help the agency respond in a timely manner to medical device cybersecurity attacks – mitigating impacts to devices, health care systems and ultimately, patients.
Another example of our commitment to shared responsibility is our announcement today of two memoranda of understanding with multiple stakeholder groups to create information sharing analysis organizations (ISAOs) — groups of experts that gather, analyze and disseminate important information about cyber threats. As we noted in our post-market cybersecurity guidance, the FDA believes that manufacturers that participate in ISAOs signal they’re being proactive in addressing cybersecurity.
In these ISAO forums, manufacturers have the opportunity to share information about potential vulnerabilities and emerging threats. We believe this transparent sharing of information will help manufacturers address issues earlier and result in more protection for patients.
We also recognize that our part in shared responsibility is partnering with other government agencies to strengthen our preparation for and response to cybersecurity threats. This includes discussions with the U.S. Department of Homeland Security (DHS) about executing a memorandum of agreement (MOA) related to our inter-agency work on medical device cybersecurity. We’ll share additional details about this MOA in the future, but our goal is to provide a durable framework for coordination and information sharing between the two agencies about medical device cybersecurity vulnerabilities and threats. We believe this type of coordination will lead to more timely and better responses to potential threats to patient safety.
Our partnering also extends to joint cybersecurity exercises that simulate scenarios involving medical device cybersecurity threats. The FDA has been exploring steps to continue building on the work that our stakeholders and the agency have already achieved toward these ends. We based these activities on our evolving experience from engagement with stakeholders, our review of premarket submissions, investigations of device-specific vulnerabilities, and participation in functional and table top exercises simulating medical device cybersecurity threats. These exercises include the DHS-led ‘Cracked Domain’ functional exercise in 2013, the DHS-Led Capstone National Level Exercise in 2016, AdvaMed’s Cybersecurity Summit in 2016, and a MITRE-convened table top on behalf of the FDA in 2017. Most recently, we’ve also had the opportunity to gain further insight into discovery of device vulnerabilities and to continue cultivating our working relationship with the security researcher community by being present and participating with manufacturers in the DefCon Biohacking Village – Medical Device Hacking Lab in 2018.
Finally, we’re taking steps to bring additional resources to the FDA to continue building our medical device cybersecurity program. In the FDA’s Fiscal Year 2019 Budget, we proposed to create a Center of Excellence for Digital Health. This Center of Excellence would help establish more efficient regulatory paradigms, consider the building of new capacity to evaluate and recognize third-party certifiers, and support a cybersecurity unit to complement the advances in software-based devices.
When we issued our Medical Device Safety Action Plan in April, we outlined our vision for how the FDA will continue to enhance our programs and processes to assure the safety of medical devices including advancing medical device cybersecurity. Our actions today, and those we’ll take in the coming weeks, build on that effort. We’re committed to staying ahead of these risks and unscrupulous cybercriminals who may seek to use cybersecurity vulnerabilities in a way that puts patient lives in danger. In order to protect against these threats and mitigate them when they do emerge, we must be forward leading and nimble. Continuing to proactively address medical device cybersecurity is a key priority for the FDA. We remain fully committed to protecting American patients by fully addressing these emerging threats.
The FDA, an agency within the U.S. Department of Health and Human Services, promotes and protects the public health by, among other things, assuring the safety, effectiveness, and security of human and veterinary drugs, vaccines and other biological products for human use, and medical devices. The agency also is responsible for the safety and security of our nation’s food supply, cosmetics, dietary supplements, products that give off electronic radiation, and for regulating tobacco products.