Device cybersecurity requires a 'whole community' approach

The increase in medical device connectivity has allowed for ramped-up patient care, both at healthcare facilities and in the home.  

But at the same time, it’s vital to remember that those devices could represent network vulnerabilities – which, in turn, could lead to major cybersecurity incidents.   

Dr. Suzanne B. Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the U.S. Food and Drug Administration, says it will take collective action to address such vulnerabilities.  

“This is an area of shared ownership and shared responsibility,” said Schwartz.  

“There is no one entity, no one stakeholder that can solve these really big challenges on their own,” she explained. “It has to be through partnership through collaboration; through recognition that we all have different roles to play, different types of expertise, different responsibilities.”  

Schwartz, who will be presenting next month at HIMSS21 along with Margie Zuk, senior principal cybersecurity engineer at the MITRE Corporation, says the FDA has emphasized a “whole of community” approach to medical device cybersecurity when collaborating with industry leaders.    

“While FDA’s oversight and responsibilities are specific to the regulated industry,” she said, the agency has expanded its sphere of influence “by really bringing everyone to the table.”   

Through convenings, public meetings, workshops, private-public partnerships, working groups and other initiatives, FDA has tried to include a wide range of stakeholders in its attempts to bring device cybersecurity to the next level.  

This includes legacy devices, a perennial pain point in the field of cybersecurity.   

To engage with the healthcare sector on this front, Schwartz explained, FDA has a public-private partnership under its critical infrastructure protection program, which in turn houses the Healthcare Sector Cybersecurity Council – which itself comprises several task groups.  

“These are all volunteers from different organizations, and there are ones that are very much focused on: how do we improve, how do we advance cybersecurity in the medical device space?” Schwartz said. 

Two of these task groups are specifically focused on legacy: one on mitigating existing challenges, and one geared toward prevention of future problems. 

The emphasis, she continued, is on securing devices “from cradle to grave.”  

With that in mind, she said, “It’s important for us to make sure we’re understanding the pain points and the challenges that exist in each of these [groups of stakeholders], and they’re  given an opportunity to problem solve here.”  

Another issue is communication: How should the FDA communicate cybersecurity vulnerabilities not just to providers, but to patients? 

In the fall of 2019, FDA convened its Patient Engagement Advisory Committee to address just that issue. One recommendation that came from the meeting was for the agency to issue a framework for communicating device vulnerabilities. After releasing a draft in October 2020, Schwartz said the FDA is now preparing to issue a final white paper based on feedback.  

“That particular framework we scoped specifically to patients who live with medical devices, are dependent for their lives or for their health on medical devices … so that they know even what kinds of questions or things they should be bringing to their clinicians,” she said.  

“And it also serves for the very same reason in helping clinicians providers understand exactly what kind of language might [they] think about as [they] communicate to a patient about their device,” she said.

Schwartz says she hopes that a HIMSS21 audience will internalize the fact that medical device cybersecurity is not just an IT issue or a data issue. “Cybersecurity is a patient safety issue,” she said.   

“These devices are providing such important functions for the patients that they serve,” she continued.  

Schwartz and Zuk will explain more in their HIMSS21 session, “Taking Medical Device Cybersecurity to the Next Level.” It’s scheduled for Tuesday, August 10, from 1-2 p.m. in Venetian Marco Polo 701.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article