If it were possible to be unaware of the general problem of cybersecurity, the recent Sony hack with its public disclosures of "private" e- conversations and then terroristic blackmail, following the earlier release of celebrity cloud photos, ought to have provided notice that what is electronically stored is likely to be available to those determined to have it. Moreover we know that cybersecurity can in principle also impact the function and availability of connected systems (Sony again) and/or the information they contain. We also need to be concerned about the malicious alteration of information or disruption of device performance. You may remember the hacked insulin pump story which is already a few years old, and the story that the wireless function of Vice President Cheney's pacemaker was disabled to protect against hacking.
In this broad context it may be worth taking a look at the FDA's now posted contents of the October 21-22, 2014 FDA workshop on "Collaborative Approaches for Medical Device and Healthcare Cybersecurity". There is also a link there to the October 29 FDA Webinar on the Final Guidance on Premarket Submissions for Management of Cybersecurity in Medical Devices. (If that link doesn't work, as it didn't for me, try here.) I had not been not aware that October was National Cybersecurity Awareness Month under the auspices of the Department of Homeland Security (DHS).
The stated purpose of the workshop was to bring together all stakeholders in the healthcare and public health sector including medical device manufacturers, healthcare facilities and personnel (e.g. healthcare providers, biomedical engineers, IT system administrators), professional and trade organizations (including medical device cybersecurity consortia), insurance providers, cybersecurity researchers, local, State and Federal Governments, and information security firms in order to identify cybersecurity challenges and ways the sector can work together to address these challenges. Some 1300 people where there.
The posted contents provide a rich after-the-fact resource from the workshop including separate videos of each session, the slides presented, and a word-for-word transcript of the proceedings. The availability of the materials in relatively small chunks allows for selected viewing or digesting it in several viewing sessions. However for those into binge viewing, you can also do two days straight. There were ten sessions beginning with Framing the Question, traversing Gaps and Challenges, and addressing the NIST Framework for Improving Critical Infrastructure, and Risk Assessment. The concluding session was consideration of Building Potential Cybersecurity Solutions/Paths. Each of these sessions was either a panel discussion, or had one or more presenters and a group of discussants, resulting in a great deal of material and many perspectives. There were also four keynotes: Marty Edwards (DHS), Edward Gabriel (Assistant Secretary of Preparedness and Response), Michael Daniel (Special Assistant to the President), and Mary Logan (AAMI).
A potentially interesting sequel to the workshop is the creation of a limited access discussion forum provided by MITRE. Set up on its Handshake website, the intent is to continue the dialogue from the workshop around common challenges and possible paths forward in medical device and healthcare cybersecurity. Among its benefits, the collaboration space is said to afford the community the opportunity to share best practices and to join one or more of the 5 subgroups of specific interest. Of course no discussion venue these days can be free of its own privacy (or lack thereof) statement. MITRE states that" the user’s name, profile photo, connections (social graph), and activity stream of non-access controlled activities are visible to all participants in this collaborative space". When I joined this forum there were 42 members but a minimal level of activity, so it remains to be seen whether this resource actually becomes of any value.
One might note in this regard that there is no shortage of electronic ways to discuss cybersecurity or anything else these days, and that in most cases discussion by itself does not solve problems as compared to actually doing something. This is perhaps the empty promise of social media where passing around snippets of ideas is confused with actual work and accomplishment. In fact social media participation often takes place instead of actual work. And yes, I realize the irony of making this observation in a blog post.
There is little doubt that cybersecurity concerns, in all its forms, will be with us for some time to come. I currently have three different identity security accounts provided by three different breached entities, including healthcare and the federal government. While cyber risk management practices provide some level of protection, and must be put in place, monitored and maintained, it seems that the threats will continue to exist and to evolve. Of course there are those that benefit from this challenge, reminding us that one person's adversity is often another person's source of income.
None-the-less, spend some time with the FDA workshop. There is much to learn.
There has been a little more activity at the MITRE discussion site with respect to a NIST draft use case on the security of Wireless Infusion Pumps. The draft document itself is available outside of the MITRE site at http://nccoe.nist.gov/content/medical-devices. There is an open comment period, recently extended through February 20, 2015.