Reader Comment – Medical Device Cybersecurity and FDA

Last week, Christopher Sundberg left a comment on my post (removed from paywall) at CFSD Detailed Analysis on CISA’s advisories published on Thursday. He noted that:

“The Baxter LIfe2000 device, with the software version noted in the advisory, is also part of an FDA recall (https://www.fda.gov/medical-devices/ventilator-correction-baxter-healthcare-updates-use-instructions-life2000-ventilation-system-due)”

I just had a chance to look at the ‘recall notice’ (I wish the FDA would call this a ‘software update’ notice, but there are regulatory issues related to the term ‘recall notice’ that would not apply to the more technically correct term). While there certainly appears to be a software-related issue involved in the recall, it does not appear to be a cybersecurity issue.

The FDA and CISA both acknowledge that (different) workarounds should be implemented (the FDA requires that the recall specific workarounds be applied, CISA can only report that the cybersecurity workarounds are available) pending Baxter’s development of a new version of the Life2000 Ventilators software. The wording of the recall notice is sort of vague, however, when it comes to whether updating the software will be specifically required when Baxter makes it available.

“The firm is currently working on a software update to address this issue and will contact all impacted customers to update their devices once the update is available.”

If the update is required, this would be the first time that the FDA mandated the correction of an unreported (to them anyway) cybersecurity issue in a medical device. The last time that they deliberately mandated a cybersecurity mitigation was in September 2022.

Review - FDA Publishes Medical Device Cybersecurity Response Playbook

This week the Food and Drug Administration published the updated version of their Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. Produced under contract by Mitre, the playbook presents target capabilities for medical device cyber incident preparedness and response. There are actually two parts to this playbook, the 54-page Regional Incident Preparedness and Response Playbook and the 10-page supplemental Quick Start Companion Guide.

According to the Mite web site for the publication:

“The playbook outlines how hospitals and other HDOs [Healthcare Delivery Organizations] can develop a cybersecurity preparedness and response framework. It supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents. The revised version includes more explicit alignment with the Hospital Incident Command System for managing complex incidents, considerations for the widespread impacts and extended downtimes that are common during cyber incidents, and an appendix of resources.”

Commentary

The news almost daily reports a new healthcare delivery organization that has been impacted by some form of cybersecurity breach. It is clear that HDO’s need assistance to help them avoid the worst consequences of such attacks. Unfortunately, it does not look like either of these two documents is going to provide any timely assistance. To be fair, I do not think that any guidance document is going to be much help, as much of the problem is the lack of cybersecurity talent to support these organizations. Even if grant monies were thrown at HDO’s to improve their cybersecurity profiles, I do not think that there is a sufficient base of cybersecurity personnel to implement even minimal controls on all of the potential targets.

For more information about these two documents, including a discussion of their shortcomings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fda-publishes-medical-device-cybersecurity - subscription required.

FDA Sends Medical Device Cybersecurity Guidance to OMB

On Friday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice from the FDA on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions; Draft Guidance for Industry and Food and Drug Administration Staff”. This guidance document was not listed in the Fall 2021 Unified Agenda (guidance documents are not typically listed there), but this looks like it may be an update of the 2018 Draft Guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.

Siemens Restricting Access to Healthineers Cybersecurity Advisories?

It looks like Siemens is taking the unusual (for Siemens) step of limiting access to cybersecurity advisories for their Healthineer products by publishing those advisories on a customer restricted access web site. Previously issued advisories are still publicly available on the Siemens CERT web page. It is not clear if future Healthineer advisories will continue to be published in that public forum.

The Announcement

Yesterday Siemens announced on TWITTER® that: “Starting by October 15 all topics related to the Siemens Healthineers Cyber Security (including security advisories) will be published at the Siemens Healthineers Cyber Security webpage”. The link provided takes you to the following statement:

“Security publications Siemens Healthineers Security Advisories: All current Siemens Healthineers reports of security issues and Security Advisories for validated security vulnerabilities that directly involve our products and require applying an update, performing an upgrade, or other customer action can be found at the Siemens Healthineers LifeNet customer online portal.”

That LifeNet customer online portal is currently accessible only to registered users. I attempted to register and received the following in an email from Suzanne Blevins, Siemens Medical Solutions USA, Inc., LifeNet Support Team:

“We are only able to provide LifeNet to customers that own Siemens equipement. I am not able to find any equipment owned by your company.”

I have sent an email to Siemens Medical Solutions requesting clarification.

Commentary

Okay, let me start by saying that Siemens (and any other company) can publish their cybersecurity advisories in whatever venue they deem most appropriate, as long as users of the affected equipment can reasonably be expected to be able to access that information in a timely manner to make appropriate risk assessment decisions about the disclosed vulnerabilities.

I suspect that this is an issue of protecting the safety of patients, and one is hard pressed to find a group more worthy of protection; especially since many (vast majority?) of the patients have nothing to do with the selection, operation, maintenance or security of the devices into which their care is placed.

One just has to look at the most recent Healthineers advisory concerning the DejaBlue vulnerabilities in Healthineer products. The advisory was published on August 9^th, 2019. The advisory notes that most of the affected products can be fixed by applying Microsoft® patches available when the advisory was published. But it also noted that at least two of the affected products would need Siemens patches that would not be available for months, and for another product Siemens recommended disabling the RDP functionality of the device. Arguably, the publication of this advisory may have increased the risk for some of the patients using the currently unfixable products.

While this is type of risk problem is also found in many of the industrial product advisories published by Siemens (as we can see in the large number of periodic updates published providing mitigation measures for yet another covered product on the original vulnerability list), the situation is a tad bit different. One should expect owners of industrial control system devices to be better masters of their cybersecurity environment than are patients hooked up to medical devices.

I am concerned, however, about how well Siemens will be able to communicate their advisories to the medical device owners. While Siemens may be able to push advisories to registered owners (and I do not know that they will be pushing advisories as opposed to just statically publishing them on their LifeNet web site) the reality of the situation is that Siemens has no way to track who is using their devices once they are sold to the initial customer (see for example this  2005 Siemens 1.5T Magnetom Espree for sale on Ebay). How is Siemens going to deal with ensuring that owners of devices sold in the aftermarket get these advisories?

Siemens has been proactive in publicly publishing cybersecurity advisories across their entire product line. Not only do they publish advisories for vulnerabilities reported by independent security researchers (directly reported or coordinated through a variety of CERTS), but they also self-disclose vulnerabilities in many of their advisories. I expect that this will continue. But if Siemens is restricting access to their Healthineer advisories to just registered owners gadflies like myself and security researchers are not going to be able to monitor their security efforts to make sure that they are taking all appropriate steps to protect the patients from undue cybersecurity risks.

HR 5961 Introduced – FY 2019 ARF Spending

Last month Rep. Aderholt (R,AL) introduced HR 5961, the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies (ARF) Appropriations Act, 2019. While there are no specific mentions of cybersecurity in the bill, the Committee Report does briefly address medical device cybersecurity issues.

Medical Device Cybersecurity

The Committee provided the following guidance to the FDA (pg 67):

“The Committee believes that the FDA should address potential cybersecurity vulnerabilities in medical devices in general, but especially as the Internet of Things becomes more prevalent in healthcare. The Committee directs the FDA to report back within 120 days on the agency’s plans to understand the ongoing cybersecurity challenges of medical devices and outline a pathway forward. The plan should describe potential solutions and list compensating controls such as continuous inventory, log monitoring, data protection, micro segmentation, and patching on legacy devices to prevent cyber threats from spreading across hospital systems. The Committee encourages the FDA to seek industry collaboration to uncover the extent of the vulnerabilities and threats with a representative pathway to solving this critical issue.”

Moving Forward

The House Appropriations Committee adopted the bill by a near party-line vote of 31 to 20 (two Democrats voting aye). This suggests that there will be limited bipartisan support for the bill when it reaches the floor of the House. Reading the Minority Views section of the Report, however, would seem to indicate that some amendments from the floor might increase the level of Democratic support. This is not important for passage in the House, but a measure of Democrat buy-in in the Senate is a requirement to move a bill to the floor in that body. We will have to wait and see what the Senate version of the bill contains.

In any case, if this bill is to move forward to the President’s desk it will have to traverse a conference committee to work out the differences with the Senate bill.

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published two advisories. One was a medical device security advisory for products from Philips. The other was a control system advisory for products from mySCADA.

Philips Advisory

This advisory describes two vulnerabilities in the Philips IntelliVue MX40 Patient Worn Monitor. The vulnerabilities are self-reported. There are no FDA Safety Communications about these vulnerabilities. Philips has issued an update that mitigates one of the vulnerabilities; another update is due later this year.

The two reported vulnerabilities are:

• Improper cleanup on thrown exception - CVE-2017-9657; and

• Improper handling of exceptional conditions - CVE-2017-9658

ICS-CERT reports that a relatively low skilled attacker with access to an adjacent network could exploit these vulnerabilities to issue 802.11 Wi-Fi management commands that can impact reporting availability of MX40 device local monitoring to a central monitoring station.

mySCADA Advisory

This advisory describes an unquoted search path or element vulnerability in the mySCADA myPRO HMI/SCADA management platform. The vulnerability was reported by Karn Ganeshen, who publicly disclosed the vulnerability on 7-28-17. mySCADA has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker but authenticated attacker to execute arbitrary code with elevated privileges.

NOTE: Karn is pretty well known for his coordinated disclosure, so this public disclosure is unusual. There are no explanations on either the ICS-CERT or the iPositiveSecurity web site explaining why the early disclosure was made. It would be interesting to know ‘the rest of the story’.

S 1656 Introduced – Medical Device Cybersecurity

Last month Sen. Blumenthal (D,CT) introduced S 1656, the Medical Device Cybersecurity Act of 2017. The bill would provide enforceable cybersecurity standards for medical devices.

The bill would amend the Food, Drug, and Cosmetics Act by adding a new §502A, Cybersecurity for Devices. The new section would address the following:

• Definitions;

• Transparency of risk prior to marketing;

• Protecting remote access to managed solutions;

• Cybersecurity fixes or updates; and

• End-of-life device;

Additionally, the bill would give the DHS ICS-CERT specific responsibilities with respect to the cybersecurity of medical devices.

Definitions

Section 520A(a) provides definitions for two new terms; ‘cyber device’ and ‘cybersecurity fix or update’. Both definitions rely on the existing definition of device in 21 USC 321(h) for ‘device’ which is broadly “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article” with established and recognized medical applications.

With that starting point a ‘cyber device’ is any device that has network or Internet connectivity, connects to an external storage device or external media, or has any other cyber capability. The term ‘cyber capability’ or even just ‘cyber’ is not defined. Similarly, a ‘cybersecurity fix or update’ is “any modification to a cyber device that addresses a software, firmware, or hardware error or known vulnerability, or a security update, and does not change the therapeutic or diagnostic function of the device” {§520A(a)(2)}.

Transparency of Risk Prior to Marketing

Section 520A(b) would require the FDA to develop a ‘report card’ that describes the cybersecurity functions of cyber devices. That report card would include {§520A(b)(2)}:

• Information pertaining to all essential elements described in the most recent version of the Manufacturer Disclosure Statement for Medical Device Security;

• A traceability matrix, accepted by the Secretary, that establishes design components and traces such components to design compensating controls;

• A description of any manufacturer compensating controls that effectively address known common vulnerabilities and exposures;

• A description of any cybersecurity evaluation conducted on the device, including any testing, validation, or verification of the device;

• A cybersecurity risk assessment conducted by the manufacturer, or a third party, explaining the risk of the device to patient safety and clinical hazards; and

• An indication of whether the device is capable of being remotely accessed along with an indication of any security measures and access protocols the device has in place to secure any such access if the capable.

The Department of Health and Human Services would be required to make a copy of the report card available to “any health care industry entity, consisting of any provider, device manufacturer, the Federal Government, health care information security researchers, and health care academia” {§520A(b)(3)(B)(ii)(I)}.

Protecting Remote Access to Managed Solutions

Section 520A(c) establishes standards for remote access to cyber devices. First it requires that manufacturers “obtain consent for such access from the provider owning or operating the device and from any patient on which the device is used” {§520A(c)(1)(A)}. That consent may be documented in the sales agreement between the manufacturer and the provider. Second, the manufacturer is required to provide notification to the provider when such access is made. This notification can be made via provider accessible access logs.

Finally, the paragraph would establish cybersecurity standards for devices capable of remote access. Those standards would include requirements to {§520A(c)(1)(C)}:

• Implement multi-factor authentication for accessing any cyber capability of the device;

• Secure data in motion and data at rest with data encryption, and other best practices, approved by the National Institute of Standards and Technology;

• Install automated tools to track access, or identify attempts at unauthorized access, to any cyber capability of the device;

• Adopt whitelisting approaches and changeable passwords for accessing any cyber capability of the device; and

• Comply with the remote access provisions recommended by the National Institute of Standards and Technology, in the document entitled ‘Security for Telecommuting and Broadband Communications (NIST Special Publication 800–46)’, published in August 2002 [emphasis added].

Cybersecurity fixes or updates

Section 520A(d) provides guidance on the usage of ‘cybersecurity fixes or updates’. First it provides that generally “any cybersecurity fix or update shall not require a new notification under section 510(k) or application for premarket approval under section 515(c)” {§520A(d)(1)}. Finally, it provides that such fixes or updates will be provided free of charge until a date specifically agreed upon between the manufacturer and the provider, or 10 years after “the manufacturer discontinues marketing the device” {§520A(d)(2)(B)} if no such agreement is documented.

End-of-Life Devices

Section 520A(e) sets forth the requirements that manufacturers must conform to when they stop marketing a cyber device. This includes requirements to:

• Provide any provider owning or operating the device with the report card, as most recently updated;

• To the extent practicable, inform any provider owning or operating the device that the manufacturer will no longer be manufacturing such device;

• Provide notice to any provider owning or operating the device of the date on which the last cybersecurity fix or update will be provided by the manufacturer; and

• Notify the Secretary of such declaration;

Additionally, the manufacturer is required to provide the following information to the provider owning or operating the device {§520A(e)(5)}:

• Compensating controls on how to securely configure the cyber device if the device stays in operation past the date on which the manufacturer stops providing cybersecurity fixes or updates;

• Documentation on secure preparation for recycling and disposal of the device;

• Specific guidance regarding supporting infrastructure architecture, including network segmentation and device isolation requirements; and

• Instructions on how to delete any personally identifiable information, protected health information, or other site-specific sensitive data such as configuration files.

ICS-CERT and Cyber Devices

Separate from the §520A language, the bill also address the role of the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) in medical device cybersecurity. Section 2c of the bill would require DHS to expand the role of ICS-CERT to include {§520A(c)(2)}:

• Investigating cybersecurity vulnerabilities of cyber devices that may cause harm to human life or significant misuse of personal health information; and

• Coordinating device-specific responses to cybersecurity incidents and vulnerabilities with respect to cyber devices

The bill would also require DHS to establish rules concerning coordinated disclosure of cybersecurity vulnerabilities in cyber devices. Those regulations would {2(c)(4)}:

• Outline the roles and responsibilities of ICS–CERT and manufacturers and providers of cyber devices;

• Provide timelines for all required actions; and

• Provide for the enforcement of cooperation between ICS–CERT and manufacturers and providers of cyber devices

Moving Forward

Blumenthal is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration. This means that the Committee is not likely to act on this bill; effectively killing it as a stand-alone measure. We could potentially see a version of this bill offered as an amendment to a Senate FDA authorization bill when that reaches the floor.

Commentary

While there is much to like in this bill, there are too many problems that would make the resulting regulations unworkable. I’ll mention just a few.

First and foremost, the bill completely dodges the issue of ownership of implantable cyber devices. Throughout the bill there is reference to ‘the provider owning or operating the device’ as it this person (or organization) is the only entity that has an interest in the cybersecurity of the device. The only mention of the patient is where the provider informs the patient of the agreement between the provider and the manufacturer providing the manufacturer with permission to remotely access the device. Ignoring the rights of wearers of implantable devices has got to stop.

Next, while the bill attempts to specify a fairly comprehensive set of guidelines for remote access, it completely ignores the issue of who has responsibility for periodically checking the device logs to determine if/when unauthorized attempts were made to access the device or what actions should be taken when such access attempts are noted.

That same section of the bill makes a very rookie mistake when it specifies the date of a NIST publication that will be used as a standard for remote access requirements. This particular case is particularly egregious since there have been two updates to that specific standard since the date specified.

In §520A(e)(5) we see three specific actions that manufacturers are supposed to take at device end-of-life that really should have been required when devices are first authorized to be sold. These are the requirements to provide information on:

• Documentation on secure preparation for recycling and disposal of the device;

• Specific guidance regarding supporting infrastructure architecture, including network segmentation and device isolation requirements; and

• Instructions on how to delete any personally identifiable information, protected health information, or other site-specific sensitive data such as configuration files.

Not requiring that this information be provided until the end-of-life point of the cyber device is one of the most ludicrous problems with this bill.

Finally, the provisions regarding the role of ICS-CERT in the cyber device vulnerability disclosure process completely ignores the role of the security researchers that find most of the vulnerabilities in these devices. The way the paragraph reads it almost seems as if Blumenthal expects ICS-CERT to undertake the research necessary to find the vulnerabilities. If that is the case, the bill would certainly need to provide authorization for the funding and manpower needed to realistically undertake that mission.

FDA Announces Medical Device Cybersecurity Workshop

Today the Food and Drug Administration published a meeting notice in the Federal Register (82 FR 19059-19060) for a public workshop on “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis”. The two-day workshop will be held on May 18^th, 2017 in Silver Springs, MD. The objective of the workshop is to facilitate a discussion on the current state of regulatory science in the field of cybersecurity of medical devices, with a focus on patient safety.

Cybersecurity Regulatory Science

The FDA notes that their Center for Devices and Radiological Health (CDRH) identified medical device cybersecurity as one of their top 10 regulatory science gaps. In the CDRH publication “Regulatory Science Priorities (FY2016)” it was noted that (page 8):

“Digital Health and cybersecurity are some of the fastest growing areas impacting medical devices. Devices are being increasingly used in networked environments and are expected to communicate with one another securely and accurately. To ensure these technologies and technological environments achieve the desired public health impact, research is needed to enhance performance and security of medical devices and interoperability, and to understand the impact of software modifications on device performance.”

With that in mind the FDA, in conjunction with the National Science Foundation and the DHS Science and Technology Directorate, is attempting to establish a cybersecurity regulatory science research framework to foster a collaborative research conducted between federal agencies such as NSF, DHS S&T, academia, medical device industry, and third party experts and other organizations with input from FDA.

Workshop Agenda

This scheduled workshop is designed to support that effort by conducting a number of simultaneous working sessions discussing the following topics:

• Relationship between medical device cybersecurity and patient safety;

• Unique cybersecurity and regulatory challenges for medical devices;

• Differences in cybersecurity between home care, large health care providers, and acute care settings (e.g., ambulance, emergency room);

• The roles and intersection of information technology professionals and biomedical engineering staff;

• Potential metrics, evaluation tools to test and quantify the cybersecurity of medical devices and systems;

• Automated and manual tools for communicating cybersecurity information about medical device design and function;

• Best practices for cybersecurity of medical devices at deployment and how to apply updates throughout the medical device lifecycle;

• Human factor issues in cybersecurity of medical device development, deployment, and use of devices; and

• Best practices in cybersecurity design, deployment, and post-deployment activities and procedures.

Each of the sessions will attempt to add to address the:

• Immediate cybersecurity challenges and potential solutions to facilitate entry of innovative medical devices into the marketplace;

• Cybersecurity regulatory science gaps to which solutions can be developed through additional scientific research; and

• Long-term cybersecurity research challenges which may need significant additional basic research.

Public Participation

Personnel wishing to participate in the workshop need to register in advance via the FDA’s workshop registration page. Unfortunately, as of 8:20 am EDT today that page does not show this planned workshop even though the notice states that early registration is recommended due to limited seating.

The FDA is also soliciting written comments on the above topics. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2017-N-1572). Those comments should be submitted by June 23^rd, 2017.

Please note that the Federal Register notice specifically states that the workshop is not designed to discuss FDA policy regarding cybersecurity of medical devices.