May 21, 2015

Top 5 Steps for Medical Device Manufacturers to Operationalize Their Cybersecurity Programs

» Partner Adam Golodner discusses the importance
of actionable cybersecurity plans.

— by Adam Golodner and Ali Wright

In an age where the critical infrastructure of almost every government, organization, and network depend on technology, cyber issues have quickly risen to the forefront of the discussion surrounding security. In fact, the United States has declared cyber as the number one national security threat. As governments and industry continue to grapple with the dynamic complexities that cyber presents, it is important for affected stakeholders to stay abreast of cyber developments and engage in an open, collaborative dialogue with the appropriate government agencies.

President Obama’s Executive Order 13636: Improving Critical Infrastructure Cybersecurity recognized the need for improved cybersecurity and directed the National Institute of Standards and Technology (NIST) to develop a voluntary framework to reduce cyber risks to critical infrastructure. NIST released the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014, sharing a living guidance document that seeks to catalyze cybersecurity best practices for all critical infrastructure organizations, regardless of size or cybersecurity sophistication.

Order 13636 also required government agencies to review the NIST Framework, perform benchmarking, and adjust their cybersecurity protocols as needed. The Food and Drug Administration (FDA) has consequently kept tabs on the cyber issue, particularly in the medical device area, and has released Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This finalized guidance, released October 2, 2014, touches upon product assurance, hardware, and software through a traditional lens informed by the history surrounding information technology (IT) and highlights key cyber issues that device manufacturers should contemplate over the course of the 510(k) Premarket Notification process.

The October 2014 guidance encourages manufacturers to implement cybersecurity measures during the design and development stages of a medical device while contemplating the following: (1) identification of assets, threats, and vulnerabilities; (2) assessment of the impact of such threats and vulnerabilities on the device; (3) assessment of the likelihood that such threats and vulnerabilities would be exploited; (4) identification of mitigation strategies; and (5) assessment of residual risk. The guidance also crafts a core framework with concrete examples of security functions to channel device manufacturers’ cyber efforts around five pillars informed directly by the NIST Framework: Identify, Protect, Detect, Respond, and Recover.

As the FDA confronts the cyber issue and shifts its attention to security measures associated with the full life cycle of a device, it will continue to look to NIST as a non-regulatory body that has a healthy, respected history of cybersecurity best practices guidance in the IT and system security eco-system. Drawing from the NIST Framework and other sources, the FDA is exploring traditional indicia of assurance, such as development practices and availability of security functionality (e.g., authentication protocols, timed sessions, layered authorization, password protection, physical security, encryption, fail-safe mechanisms, etc.). Device manufacturers should be prepared to articulate to the FDA that they have thoroughly contemplated these cyber issues and have taken a systemized approach to product security and integrity. Fortunately, the wheel does not have to be completely reinvented, as there are helpful guides to aid parties exploring this area, such as the NIST Framework, the NIST 800 series, the global Common Criteria for Information Technology Security Evaluation (Common Criteria) profiles, and the security development lifecycle approaches.

But as device manufacturers work to meet increasing demand for interoperable medical devices with appropriate security measures, what are some of the most immediate steps that need to be taken to operationalize an effective, compliant cyber program?

  1. Form an Internal Cyber Committee 
    Each device manufacturer should strongly consider forming an internal cyber committee consisting of a diverse set of personnel from appropriate divisions within the company. Such a committee could be comprised of the Chief Information Officer, the Chief Information Security Officer, a member of the General Counsel’s Office, an employee from Research & Development, the General Manager of Medical Devices (or a member of the company’s Product Business Unit), a representative from Communications, and the Chief Financial Officer (or a member of the company’s Risk Management team). The committee should be charged with leading the company and its products towards greater security. Specifically, this committee should be tasked with ensuring the company has a cyber strategy to protect both the company as an enterprise, and its products. The committee should set strategy, ensure execution, and ensure the Board of Directors is briefed and has buy-in.
  2. Designate or Hire a Dedicated Senior-Level Employee to Be Responsible For Product Security & Integrity
    Having a leader of the company’s cyber effort for product is crucial to the success of a cyber program. Companies need to create a culture of security through implementation of best practices, governance, training and awareness. Moreover, in the event of a significant incident, looking to one person to quickly and efficiently lead the response team will be critical. This senior-level employee should be a member of the internal cyber committee but should also be the ‘owner’ of cyber for product in the company.
  3. Implement a Formalized Product Integrity Process
    The company should implement a formalized product security program. It should review and consider the multiple sets of best practices for software and hardware development practices, and create a repeatable and documented process that fits the company’s product set. With reference to the Common Criteria, and other standards, the company should look to methodologies to ensure the inclusion of security functionality, features, and capabilities that match the intended use of the product, and employ methods that show that the security functionality has been properly implemented. Further, the company should review its supply chain and seek to ensure it employs processes and technologies that substantiate integrity and genuineness.
  4. Create a Product Incident Response Team
    Create a product incident response team responsible for discovering and responding to product vulnerabilities. Also, think through an effective vulnerability disclosure policy. How vulnerabilities—and fixes—will be disclosed, to whom, and how they will be implemented. A core principle is not to disclose vulnerabilities before a fix is available, as you do not want to create a situation where the vulnerability is known, and can be exploited, before the fix is available. Proper product incident response is a hallmark of good security practice.
  5. Perform Cyber Response and Recovery Exercises 
    After forming the product incident response team, you would then need to flex the response and recovery muscle. Take a lesson from the military here. Scenario planning and exercises will help you prepare for the palpable possibility that you will have to respond and recover from a non-trivial event. Think about broadening this function out to the company-wide cyber committee. In addition to the product issues the company may face, it also may have to respond to and recover from a cyber event that affects the operations of the company, or involves the theft of private information, or the loss of intellectual property. Outside security consultants, counsel, and communications experts can help make these exercises effective.

The FDA is communicating at the outset with industry players and seeking public-private partnerships to take on the issues attendant to this evolving threat. Given the increasing priority status of cybersecurity, medical device manufacturers should be poised now, more than ever, to collaborate with the FDA and shape any policy outcomes into workable, universal frameworks and solutions. However, the FDA is also relying on device manufacturers to organically grow into this complex area and stand on their own two feet.

There are many activities that will help companies down this road. Device manufacturers should be coordinating with their respective trade associations, engaging in cyber information sharing arrangements, participating in MITRE’s Handshake collaboration space, and thinking about how they should handle this issue globally. As attention to cyber grows, and countries around the world think about medical device security, companies should seek to avoid a patchwork of country- specific security requirements. Divergent or conflicting requirements would undermine security and innovation and undermine the build once and sell globally business model. Drawing on lessons from the IT industry and others, the industry should work on a global path forward . Companies can also plan to join government-wide cyber exercises, like the February 2016 Department of Homeland Security Cyber Storm V exercise, which will focus on the health and retail sectors.

In conclusion, there is a path forward for companies to work with governments on cyber issues in a public-private partnership. Creating these partnerships can help manage current and future cyber risk, and help build in protections against both ill-conceived regulatory rules and uninformed legal developments. At the end of the day, building and using industry best practices will help create a safe and secure future—all while continuing to drive innovation in this dynamic industry.

Subscribe Link

Email Disclaimer