Archive for June, 2013

How to address cybersecurity threats in medical devices

Posted by fgilbert on June 24th, 2013

The FDA has published for comments a draft guidance that is intended to assist the health industry in identifying and addressing cybersecurity threats in medical devices. Indeed, medical devices are frequently used to collect patients’ vital signs. The information is then transferred to a database within the medical office or in the cloud, for further processing. For instance a diabetic patient may be equipped with a device that collects blood samples and sends the information to a cloud-based service that makes a diagnosis, determines the right dosage of a drug, and sets the time at which the dosage should be administered to the patient.

To complete this prowess, the medical device takes advantage of wireless, network, and Internet connections in order to exchange medical device-related health information collected from patients with a remote service or practitioner. The transmittal of patient information to remote computing facilities and their storage in a cloud can cause significant cybersecurity concern. The interception and unauthorized use, modification or deletion of critical patient information could have deadly consequences.

The draft guidance provides recommendations to consider and identifies documentation to be provided in FDA medical device premarket submissions in order to assure effective cybersecurity management and reduce the risk of compromise. Not surprisingly, the guidance recommends that engineers and manufacturers should develop security controls to maintain the confidentiality, integrity, and availability of the information collected from the patient and transmitted the medical cloud that allows the storage and processing of the information.

The draft guidance suggests the use of “cybersecurity by design”, a concept similar to that of “privacy by design,” to bake into the design of the medical devices and the equipment connected to these devices, the much-needed security features that could ensure more robust and efficient mitigation of cybersecurity risks.

The proposed guideline outlines the steps to be used for this purpose and stresses the importance of documenting the different steps taken:

  • Conduct a risk analysis and develop a management plan as part of the risk analysis;
  • Identify the assets at risk, the potential threats to these assets and the related vulnerabilities;
  • Assess the impact of the threats and vulnerabilities on the device functionality;
  • Assess the likelihood that a vulnerability might exploit;
  • Determine the risk levels and suitable mitigation strategies;
  • Assess residual risk, and define risk acceptance criteria.

As always, the issue is one of balance. Balancing the universe of threats against the probability of a security breach. Factors to be taken into account would include the type medical device, the environment in which it is used, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach. In addition, the guidance recommends that manufacturers should also carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use (e.g., home use vs. healthcare facility use) to ensure that the security capabilities are appropriate for the intended users.

The FDA draft guidance recommends that medical device manufacturers should be prepared to provide justification for the security features chosen and consider appropriate security controls for their medical devices including, but not limited to:

  • Limit access to trusted users only;
  • Ensure trusted content;
  • Use fail-safe and recovery features.

The proposed guidance also identifies the type of documentation that should be developed in preparation for premarket submission filed with the FDA. This information includes:

  • Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device;
  • Traceability matrix that links the cybersecurity controls to the cybersecurity risks that were considered;
  • Systematic plan for providing validated updates and patches to operating systems or medical device software;
  • Documentation to demonstrate that the device will be provided to purchasers and users free of malware; and instructions for use and product specifications related to recommended anti­virus software and/or firewall use appropriate for the environment of use.

The Draft Guidance is available at http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

 

New York State launches investigation of top insurance companies’ cybersecurity practices. Who’s next?

Posted by fgilbert on June 4th, 2013

The State of New York has launched an inquiry into the steps taken by the largest insurance companies to keep their customers and companies safe from cyber threats. This is the second inquiry of this kind.  Earlier this year, a similar investigation targeted the cyber security practices of New York based financial institutions.

On May 28, 2013, the New York Department of Financial Services (DFS) issued letters pursuant to Section 308 of the New York Insurance Law (“308 Letters”) to 31 of the country’s largest insurance companies, requesting information on the policies and procedures they have in place to protect health, personal and financial records in their custody against cyber attacks.

Among other things, the 308 Letters request:

  • Information on any cyber attacks to which the company has been subject in the past three years;
  • The cyber security safeguards that the company has put in place;
  • The company’s information technology management policies;
  • The amount of funds and other resources that are dedicated to cyber security;
  • The company’s governance and internal control policies related to cyber security

The insurance companies will have a short period to respond to the questionnaire.  For further detail see Press Release of the New York Governor’s Office.

It is not clear what the State of New York will do with the information collected from the responses to this inquiry, but it is certain that this initiative is likely to be followed with great interest by other State Insurance and Financial industry regulators.  Indeed, both the insurance and financial services institutions collect, process and retain a significant amount of highly sensitive personal information about prospective, current and past customers.

Companies in the insurance or financial services sectors, as well as their respective service providers, should take the time to review their risk assessments, policies and procedures, especially with a focus on evaluating whether they adequately address known vulnerabilities, meet the current “best practices” standards, and are keeping up with the most recent technologies and forms of cyber attacks.