Cybersecurity & Healthcare

Michael C McNeil, testifying on behalf of Philips www.usa.philips.com and the trade association AdvaMed www.advamed.org , gave an overview of the medical technology sector on the issue of cybersecurity. He appeared before the House Energy & Commerce Committee, https://energycommerce.house.gov Subcommittee on Oversight and Investigations on April 4, 2017.

He explained how important it is for medical device manufacturers to address cybersecurity throughout the product lifecycle and very importantly implement proactive measures to manage medical device cybersecurity.

AdvaMed in March 2017 published a White Paper “AdvaMed Medical Device Cyber Foundational Principles”, www.advanced_medical_device_cybersecurity_principles_final.pdf, discussing how to develop a robust medical technology cybersecurity effort.

McNeil summarized the principles in the White Paper for the Subcommittee. First an effective cybersecurity risk management program should incorporate both premarket and postmarket lifecycle phases and address cybersecurity from medical device conception to disposal.

In addition, medical device security risks should be addressed through a risk management process that is based on consensus-driven recognized standards and reference documents. This risk management process should include a process to monitor the ongoing security of devices in use.

Medical technology cybersecurity is a shared responsibility among all stakeholders within the healthcare community. Since systems are only as secure as their weakest point, all elements of the system must be appropriately managed and secured.

Medical device manufacturers should deploy a coordinated disclosure process that provides a pathway for researchers and others to submit information including potential vulnerabilities to the organization.

Manufacturers need to put information sharing concerning threats at the top of the list in order to manage cybersecurity effectively. It is necessary for the industry to always share threat and vulnerability information.

Finally, the development of cybersecurity-related consensus standards and regulations should be accomplished collaboratively among regulators, medical device manufacturers, independent security experts, academia, and healthcare delivery organizations.

McNeil told the Subcommittee that both Philips and AdvaMed commend the FDA for taking a proactive stand on medical device cybersecurity. The FDA has worked closely with the medical technology industry and the broader healthcare ecosystem to ensure medical device cybersecurity.

Most recently, last December, FDA released final guidance addressing the postmarket management of medical device cybersecurity. Also, FDA entered into a Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Organization (NH-ISAC) https://nhisac.org and the Medical Device Innovation, Safety and Security Consortium (MDISS) www.mdiss.org to promote cybersecurity information sharing for medical devices

These efforts led to the creation of a medical device specific information sharing and analysis organization which recently launched a program called the “Medical Device Vulnerability Intelligence Program for Evaluation and Response or MD-VIPER” https://mdviper.org .

MD-VIPER provides a streamlined mechanism for medical device manufacturers to submit and share information concerning cybersecurity related issues as well as to other members of the