IATC - State of Medical Device Cyber Safety - Beau Woods & Scott Erven

What's that? It's okay.

I think this one's fine. Okay, guys. You're good. Cool. All right. Welcome back after lunch. Um, hope everybody got uh all the food that they needed, took the bio breaks that they needed to ready to come back and and enthusiastically start the afternoon. Yeah. Yeah. All right, we got it. Um, so I'm Bo Woods. This is Scott Irvin. Uh, we're going to do an introduction to medical device cyber security. It's something that we've been working on a lot lately. um especially over the past couple of years with uh I on the cavalry group um to uh push for better outcomes sooner or safer sooner as we like to say. Uh so we're going to run through a quick uh

overview of um essentially the healthc care marketplace. This is uh everything that would have any kind of tie into medical devices. So uh it's incredibly broad, incredibly diverse. If you look at the number of types of devices that you can have, you can have everything from a giant MRI machine that might cost, you know, a couple of million dollars all the way down to literally pills that you can swallow that will report back through wireless connectivity the status of what's going on in your digestive system and everything in between. Uh we're coming into a really really exciting time in medical devices and in connected wearables and implantables where we're able to do really amazing things that

we've never had the opportunity to do in our history because of some of the technology that we're putting into these devices. But as we're putting this technology in, we're also inadvertently transferring some of the risky parts of that technology. uh some of the vulnerabilities, some of the exposures. So, as we started out a couple of years ago um to look at these areas to really try and work with all the stakeholders uh to get better outcomes um we found it both challenging and exciting uh to be able to help um safeguard our future. So, uh yeah, I don't know, Scott, if you have anything to add. Not yet. Okay. Later later we'll get to Scott's part. Um one of the uh one of

the really incredible breakthroughs that we had over the last year and we'll talk about it in a little bit more detail. Uh is coming together with many of the stakeholders in this ecosystem very broad very diverse. Uh if you were here for the first session of the day, uh you heard from Hans Molson from Drager who um announced to the room that he and his company are working with researchers to not just build better devices but to build a publicly facing attestation that they accept help from researchers to do the things that only researchers of our type can do which is some of the research that that goes on currently uh from Scott and some others in the room.

We've also found uh many other willing allies and one of those is actually on the phone with us today. Um that is the Food and Drug Administration of the United States. uh you wouldn't normally think of uh a a government agency uh getting engaged with just a group of passionate volunteers, but what we found is that uh the FDA among many others is willing to take help from the security research community from us uh to serve their mission better. Uh so with that, I'll turn it over to Suzanne Schwarz and let her introduce herself uh and talk a little bit about uh her role and what they're doing. Suzanne. Yes, Bo. Thanks so much for introducing

us. And again, my name is Suzanne Schwarz. I'm at the Center for Devices and Radiological Health. And here I play the part of being the director of emergency preparedness operations and medical countermeasures. But enough about my title. Let's just kind of jump right into it. And the first thing I'd like to really say is that this this really ranks high as a milestone for FDA. Just being able to participate here in besides Las Vegas or for that matter any of the conferences that take place this week. Even though we're not with you all physically in the room, I have to say this is still quite a milestone and quite a treat. And so I want to really

start off by telling you both and Josh Corman and Scott Irvin and the entire I am the cavalry team how much we at FDA really appreciate you giving us this opportunity. And who knows maybe next year we're going to be able to come to summer camp too. So some folks might be thinking oh great we have the regulator in the room with us now. Is this going to stifle open and honest discussion? And I'd be the first to admit that if I was sitting there in your shoes in the audience, I'd probably be thinking the same thing. And that means that I really have a huge task ahead of us in terms of being able to shatter

some of the myths and misconceptions of who the regulator is. What do we do at FDA? How do we see ourselves and our responsibilities beyond that classical view of the regulator? It reminds me that a couple of years ago when I was attending a clinical conference and I ran into a very very dear friend of mine, a professional colleague who I'd known for years well before I came to the FDA and he approached me at one point and he said, "You know, Suzanne, everyone here thinks that FDA is a boogeyman." And I remember getting up to speak publicly and introducing myself saying, "Hi, my name is Suzanne Schwarz and I'm here to tell you that the FDA is not the

boogeyman." And so I ask you to suspend judgment, to suspend disbelief for at least a few minutes now, while we paint a picture for where we want to go that might be quite different than some preconceived notions of the regulator of or of the FDA. We see this as the beginning of a new dialogue. It's a partnership that had truly extraordinary, even better than that, I'd call it unrealized potential for impact in the medical device cyber security space. And it's all towards a common goal. That goal being to protect and promote public health. If you're in the room this afternoon for this workshop, it's because you care about patient safety, your own, every member of your family, your

friends, your peers, for the greater good. And we share that mission with you. So here's my appeal. Let's get to a place of common understanding. Let's work as a team to improve the cyber security posture of our medical device and health care system. And so we have to start with some context a little bit about the FDA. So if we could turn to the next slide, the slide that has the FDA organizational chart on it. FDA is an agency within the department of health and human services and there are four core functions of the agency. These include medical products and tobacco, food, global regulatory operations and policy and the fourth one being operations. As many of you probably know

FDA as a regulatory agency has oversight on food, drugs, cosmetics, medical products and tobacco. There are three medical product centers which are responsible for overseeing drugs, devices and biologics before they enter the US market and throughout their total product life cycle. We're going to zoom in further now and focus on specifically the center for devices and radiological health. So if we could turn to the next slide, the slide that reads the products we regulate. And this goes to the center for devices and radiological health, what we call CDR. And that's the center where I work. CDR regulates medical devices in the US. And as is characteristic of FDA's regulation of all medical products, we use a risk

based approach to classify devices from those that are the lowest risk which are called class one to the highest or most unknown risk which are called class three devices. And it's this classification that actually drives the level of evidence that's needed in determining what's called by quote unquote legal standards reasonable assurance of safety and effectiveness whenever a new product is first being evaluated and being introduced. And you can see on this pictorial this spectrum of devices from the simplest band-aid, and yes, by the way, band-aids actually are medical devices. They're class one medical devices to far more advanced and complex technology, as Bo mentioned, MRI machines, CT scanners, ultrasounds, and you name it. The technology as it will

continue to grow and advance is uh beyond amazing. When we we apply this similar benefit riskbased calculus to management of medical devices once they're distributed in the field and are in use by health care systems and that approach really extends to the the entire devices product life cycle. Whenever a signal is brought to our attention, irrespective of whether it's cyber security related or not, we undergo a thorough analysis weighing the benefit against the risk to the public health at large. And those, as you can imagine, are quite tough decisions to make. And they're handled on a case-byase basis. So let's turn to the next slide, a slide that speaks to CDR and FDA goals. And so from the you know top

level at the at the very basic as well, it's meaning it's about meeting our mission. And what is our mission? It's to again assure the public that the medical devices that are available for use are indeed safe and effective. And that goes regardless of what that device is and where it's supposed to be utilized. It's applied directly to cyber security as well. So let's get into the specifics on a cyber security basis. Some of our goals include raising awareness and what we mean by that is also taking knowledge that exists in other industry sectors and being able to apply that knowledge to the health care public health sector and where medical devices reside. One thing that we've come to learn over

time, especially as we dialogue more with other industry sectors, is that healthcare public health has quite a ways to go in terms of evolving and maturing with respect to cyber security awareness and cyber cyber security posture. You'll notice that I bolded in purple a few key principles that are our objectives as we go forward. Firstly, it's promoting safety and security by design by articulating what our regulatory expectations are in a clear manner. And then it's about promoting coordinated vulnerability disclosure and proactive vulnerability management. And finally, it's about minimizing reactive approaches. So there's a reason why I wanted to really highlight those three objectives, those three goals because it's really very much within the power and the

capabilities of working with the security researcher community as well as within the entire medical device stakeholder space that is going to really enable that to happen. And finally, it's about fostering this whole of community approach. So what do I mean by fostering a whole community approach? What you'll hear a little bit later as even as B goes on to talk, one of the themes that we continue to underscore that we think is most important is in building this type of partnering and collaboration across the entire stakeholder community and recognizing that there is there's so much work to be done. There's so much heavy lifting and yet if each stakeholder group each of us has something to give and to contribute from

a skills point of view, from knowledge and expertise that through this type of whole of community effort, we're going to be able to be in a much much better place than we are right now. So let's move on to the next slide. And this is really just to again highlight what the key takeaways are. If you walk away with anything from what I've said, again, it's that emphasis on our ability to be able to foster a whole of community approach. And that means that there's a very integral role that security researchers play in this space and that we need your partnership. we're relying on being able to work together. And I think that again we're going to be

able to do some um fantastic things in terms of not only being able to bring these extraordinary advances in new technologies to our patients, but to be able to provide that level of security and safety with them. For FDA, it's also about making sure that cyber security risk management programs become part of the normal culture. They become established within the medical device manufacturer community as well as within the health care enduser healthcare delivery organization community. It's about making cyber hygiene paramount and creating a trusted space, a trusted environment for information sharing. And then the last point here is one of those uh busting myths points that we like to talk about every time we have an opportunity to

talk to audiences in that in order to be able to uh improve the cyber security posture of a medical device. Updates of software can be performed by the manufacturer without necessitating the manufacturer to come back to FDA with a new submission with another pre-market application or pre-market 510K submission. It also does not necessitate in all ca in in most cases does not necessitate a recall. So, with those very very general highlevel points, I'm going to turn it back to Bo and um I look forward to having more of a dialogue with you after we finish the more formal part of this initial presentation. Thanks, Suzanne. Uh and uh I would just ask you maybe to repeat the very last

thing you said because it can't be repeated enough if you wouldn't mind. that software updates for cyber security do not do not do not require free market review or recall. Again, by and large by and large. Obviously, there are going to be some exceptions and those really depend upon whether the functionality of the device is impacted in such a way that it would require a pre-market review. But by and large for improvements in cyber security, we've stated this verbally, we've stated it in our pre-market guidance. Uh we've stated in a number of different uh communications as well. All right. Very good. Thank you for your time, Suzanne. And uh if you want to hang on the line, we can do a Q&A. And

if anybody has any questions for Suzanne later, um then we can open up the floor. Um so as I mentioned FDA has really been a critical partner uh in some of the things that we've done in the past year. Uh so as we've um worked through that, uh Scott and I were kind of putting together a timeline of what that looked like in the past year to go from essentially a situation uh a year or more ago where researchers kind of had ad hoc interactions with medical device makers, with the FDA, with uh MITER, with any of the organizations that you would typically engage with when you find a vulnerability to where we are today, which is a uh a very very

advanced stage for the amount of time that we've had to go from zero to 60. So, uh this kind of started last year when um or maybe even the year before when the FDA released draft guidance for pre-market submission. Um, that's a a medical device term for basically before you can sell a device, the FDA has to know uh based on your evidence that you provide that that device is going to be safe and effective. Um, that kind of started the engagement. A couple of us uh wrote up some some comments, some responses to uh the call for responses uh based on that draft guidance. Um later in the year we were engaged uh by a group called the

Atlantic Council which is a uh a global policy think tank and they wanted to study the security or lack thereof of medical devices and what the real world implications of that were. So it was myself and a few other security researchers as well as a lot of policy makers um and including two people from the FDA, one of whom was Suzanne. uh and we got in a room and we talked about it and uh I was literally sitting across the table from the regulators in a position that felt very familiar. Um and I started to see that uh the things that that the FDA was saying were really aligned to some of the things that I was

saying and that a lot of the other folks in this room have been thinking. Um so after that really good first engagement face to face, we continued to develop that relationship. Um, we worked with them uh a little bit more on that pre-guidance, gave them some other information that we had. Uh, we, uh, Scott actually went to an ITLE e workshop held in New Orleans that was attended by a lot of policy makers, decision makers, uh, academics and security a couple of security researchers. um that was really effective because that was one of the things that uh was a uh kind of a a government agency sponsored activity. Even if they didn't have a formal sponsorship role, they

certainly had a lot of participation in that. Um over the past year, we found that we were embraced by a lot of uh medical device and healthc care community conferences who would ask us to come speak on certain topics. um or when we submitted uh they accepted our talk and said, you know, this is the talk that everybody's looking forward to this year. We're really excited to have you. Um and just to give, uh you know, to name drop a little bit, um the government of Poland called Scott and said, "Hey, do you want to come teach us uh how to improve our our security posture?" Um as well as several other uh really really uh key uh stakeholders in

the market. Um I think it was Josh when was it in March that you did this Cyber Wednesday May that uh Josh and uh Suzanne were on a panel talking about the product of the Atlantic Council's think tank sessions which was a paper detailing um connected medical devices and the security risks. Uh again I think it was it was a matter of everybody was directly on the same page. everybody was speaking the same language from the researcher side as well as from the government side. Uh so developed and continued to develop that relationship. Um Suzanne was at uh Source Boston as one of the keynotes um talking to geeks who weren't always uh security researchers but in a lot of

case developers about the importance of developing secure code or sec more secure code and better decision making in developing uh the the medical devices secure by design. Like Suzanne said, um over the past couple of months, uh there have been some fairly high-profile vulnerabilities announced in medical devices. Uh because of some of the groundwork that we had been laying as security researchers with the FDA, um they reached out to us and said, you know, we need to do something about this. We need some kind of a a good coordinated uh way to to go about working towards a safer future sooner than it would happen organically or if it were just left up to one of the

stakeholder groups to unilaterally do this. Um so in a dayong session of brainstorming and education uh we worked with the FDA to both let them know what a vulnerability research uh researcher does as well as what the process looks like some of our frustrations particularly in the medical device manufacturer space but also we took a lot of education and learning from the FDA on what their role is what their responsibilities are how they see themselves in uh the chain of influence in medical devices. Um and some of these things eventually culminated in a safety communication that was issued, what was that Friday, Scott? Last Friday. Last Friday. Yeah. Um, so that safety communication came out and said there are vulnerabilities

in these hospital devices. Um, even though they're not currently for sale, uh, we recommend that healthcare organizations really consider whether the risk is worth the benefit of these devices. Uh and that's a really important step because it means that uh we got um a safer outcome without uh demonstrable harm having come first. Um and it's not the first case where a medical device has had a safety communication because of software, but I think it's a a trend that will continue to demonstrate um harm is not a prerequisite for action. Scott, any additions? No, but I'm just here to look good. Well, you do a good job of that. Um, so I just want to point out

everything that's in bold here. Those are key critical steps where uh security researchers and the FDA have partnered together to do things better, faster. Um, so what's coming is Scott and I as well as a number of other security researchers, healthcare organizations, government agency personnel, uh, and people from the security community are working on a couple of things. Uh it's it's essentially the spiritual spiritual successors to the automotive five-star safety framework which is a connected medical device procurement guide to find the choke point that is the um uh the buying process and inform the decision makers not to supplant their judgment but just to give them the right information to be able to take action on

so they can balance the risks as well as the benefits. We're also working on uh something that's more of a literal successor to the five-star, which is a hypocratic oath for medical devices. The idea being physicians have a concept of modern medical device uh modern medical ethics embodied by the hypocratic oath. It's a symbolic attestation to do no harm, to be um only on the side of the patient uh for their benefit. And as the physicians take these medical oaths um they then go and instruct medical devices to carry out those treatments. And so it only makes sense to have in that chain of treatment a some type of a spiritual um counterpart on behalf of the medical

device itself or the medical device manufacturers to say I I understand and recognize the physician's obligation and my obligation to first patient safety and for the benefit of the patient and I agree and I will carry that out. Finally, um, tomorrow night, Thursday night, uh, we're having a a small, uh, get together for medical device security researchers, other people in the ecosystem, um, and just to get together and say hello, to introduce ourselves, uh, to help build the groundwork for some of the collaboration that we need to have, uh, to be able to do what we need to do. It's called do no harm. Uh so if you are interested in participating uh come up and talk to us later. Hit us

up on Twitter. Uh and we'll get you the information as well as um you know get you what you need. Bo Woods. It's pretty easy. B E A W O DS. Scott. Yeah, we're easy. We don't have hacker handles. So with that, um I'd like to to open up the floor to questions. Uh, and we have a microphone right there. We've got about three or four minutes uh for questions. So, time for a couple and then we can move into the next part of the session.

You can find us on Twitter. Um, the cavalry handle is I am the cavalry. I'm Bo Woods and Scott is Scott. Yes. So, uh, my understanding is that the FDA has

updated. So, can you give any kind of like assessment of what their process is, what they're going to do, if they are going to do anything kind of just like were they open to the process at all? It's pretty bureaucratic organization takes a long time. They felt scared. help or they felt like something. Yeah. So, uh let me try and recapture your question and just make sure I got it right. Um so that Suzanne can hear it and maybe she can she can speak to that to the degree that she can. Uh so I think your question was um the FDA hasn't updated their uh regulations for applications. And do you mean um approval applications or software

applications? Sorry, software applications. Okay. So, um, the FDA hasn't updated their regulations on software applications since 2009. Uh, and what's their take on that? What are they doing? Um, and what's their posture? So, Suzanne, I don't know if you want to weigh in on that. So the first thing I would say just in terms of being um accurate in uh in how in our nomenclature I think what what the uh questioner is asking is updating the guidance document not the regulation specifically guidance being different than regulations. That's right. Yes. And is that is that correct? That's correct Susan. Okay. So I can't speak to the specific plan of updating uh that particular guidance document. What I

would tell you though is that we are presently engaged in putting together the a cyber security guidance that reflects on all of the postmarket expectations for managing cyber security of medical devices that are out there in the field. uh and that is uh basically the the partnering document, the complimentary document to the pre-market guidance that went final back in October 2014.

Okay. So, does that kind of tell you what you needed to know? Okay. Yep. Uh and I'll I'll mention if you want to have follow-up conversation or dialogue, you can get in touch with us. we can uh broker a conversation. Um the FDA has been very very willing to engage with security researchers. Um you know, like Suzanne said, uh we each see ourselves as willing allies in the fight for safer sooner. Um you might have just not covered this because it's kind of outside of the scope of this audience, but are you doing anything to uh communicate with uh excuse me medical device manufacturers as far as their quality systems and risk analysis goes as far as cyber security

is concerned. Um so we've done a lot of outreach to medical device manufacturers themselves. Um some of that has been around their quality systems in one shape or another. um when we go into those types of conversations, we don't have a particular agenda to try and influence any one thing that they're doing, but more to um build that ability to collaborate, the ability to allow them to improve. Um we've got a lot of really really good response from medical device makers who, you know, you find in every one of them somebody who wants to do the right thing, who is really pushing for it. uh and anything that we can do to help them be more successful um they absolutely

take it uh and and they enjoy that relationship and and the work that we do together. Um I know that some of the medical device makers have been working on their quality systems as a result of some of the interactions as well as as a result of some of the things that they've been doing on their own. Uh so those things are improving. Um, obviously I'd like to see it all fixed tomorrow so there's never any software bugs, but uh, bugs will always be a part of the process. If they have the things that allow them to catch themselves when they fail and improve, then that's also that's also good and this will be the last question.

Hello. So I was kind of confused when we got that alert on Friday though from the FDA because you know we got everybody spun up started looking at it and realized it appeared to be the exact same thing we got from isert and NHISAC in 13 June. So was the additional delay of seeing that from FDA because they needed to vet something or was it just just a completely different track where they were getting it directly from the vendor? What was the the gap there? Yeah. Um that would probably be a good one for Suzanne to weigh in on. So Suzanne to just repeat the question for you. Um he asked uh you know the u

safety communication that uh was put out was similar to ones that had been put out on June 13th by ICS and some others. So how did the FDA safety communication differ from those earlier ones? How did the FDA safety communication that we put out on Friday, this past Friday on the SIP differ from our previous ones or from the ICSERT on one? I didn't hear the question total totality from the ICSERT ones specifically from the ICSERT. Uh well to start with uh obviously uh the two agencies ICS search and FDA have different functions and different responsibilities and while the ICS search advisory provided not only awareness uh and specific details with regard to the vulnerability and its identification but

also worked with the manufacturer regarding the mitigation measures that should be put into place where the FDA safety communication is different is that it gets really much more into what we consider from the again patient safety public health perspective when we weigh that out and made a recommendation that was a uh where did as strongly encourage discontinuing use of the pump for the reasons that were identified which uh was not stated in the ICSR advisory and of course wouldn't have been appropriate for the ICR advisory being that they are not the uh regulator of the medical device industry but I will tell you that we work very closely together ICSR and FDA on the uh advisories or communications so that

we have visibility on the issues that arise and that we understand exactly what the vulnerabilities are that are being brought to ICPSert's attention and this level of dialogue and interaction has been very very beneficial across government. I think that it adds to a great degree of agility to be very honest with you uh in terms of being able to move a lot faster just by virtue of being that much more communicative. And so that's the primary that that would have to be the primary difference between the earlier communications that were put out by the ICS advisory and our safety communication which is clearly geared towards addressing the healthc care uh and public health user community.

Okay. Thank you Suzanne. So um with that we're going to transition from the uh discussion that we've had uh the kind of facilitated discussion to um some of the workshops that we had talked about uh to start building uh some um some small initiatives as well as leadership and recruiting willing allies, willing partners uh to do things to again promote safer sooner. So, um we want to go through and spend maybe the next 10 minutes coming up with some small projects that we could potentially do uh as security researchers or as others bringing others into the to the play um to help do better to be more effective. And as if you were in the

panel discussion, this is the idea of a duocyc, right? So whoever it is that um wants to change things to stand up and and take charge to lead uh giving ourselves the permission as well as the support to do that. Um, so for the next 10 minutes,