The FDA dropped a bombshell on the health care industry last month, and companies are missing the quickest and easiest way to respond.
The FDA's latest recommendation (June 13, 2013) that "medical device manufacturers and health care facilities take steps... to reduce the risk of failure due to cyberattack," has the opportunity to cause a wave of waste and expensive false senses of security unless approached with a proven risk process for securing these types of devices.
The FDA specifically called out both medical device manufacturers and health care facilities together, as they collectively create the attack surface for advisories to breach. While the level of cooperation and collaboration between those two groups has been strong in many other areas, they have not yet become tightly coupled with regard to security. Security is not an either or game, and since complete eco-systems are being attacked, complete eco-systems must be secured.
Unlike the medical industry, the energy sector -- from pipelines to oil rigs to power grids -- has long been at risk due to the relatively small industrial control systems, or ICS, that perform much of their automated decision making. While the form and function of a pacemaker and an oil pipeline are very different, the approach to securing them can be highly symbiotic. These third-party ICS are implanted into the body of an oil rig or pipeline, and then left to open and close valves, start and stop pumps, and other low level but crucial tasks. In the energy space, a false command to a valve or a pump can cause blackouts, oil slicks, or toxic clouds.
To protect against threats to these ICS risks on an oil rig, we routinely follow precise standards and practices to help us identify and prioritize risks, develop and deploy specific countermeasures to address those risks, and then build and operate a life-cycle approach to security that accounts for the real world changes to environments and threats. While nothing is absolute in the security business, this proven approach provides the optimum way to manage the risks associated with the energy industry's industrial control systems.
Just like with the industrial side, our "human" control systems are called Implantable Medical Devices (IMDs), and a false command to a valve or a pump in our bodies can cause instant death. As Dr. Robert Wah, president-elect of the American Medical Association says, "We are now seeing computers being used in human hearts and brains and other parts of the body. The need to protect against cyber attacks is obviously vital. The term 'life or death situation' is the daily norm here."
Since the 1960s, a change to a pacemaker required cutting open the patient, modifying the device, and then stitching them back up. In what seemed a great breakthrough only a few years ago, implantable medical devices like pacemakers added the capability for a wireless update, that saved countless surgeries. Fewer surgeries sounds good until you start to think of the cybersecurity ramifications, which have moved a wireless pacemaker attack from a research paper, to a hit television drama, to reality -- in only five years. It's now possible to kill over the Internet, and with an estimated 86 million connected medical devices [Mocana.com 2012] around the world, it's a problem that must be addressed now.
"Implantable Medical Devices (IMDs) are increasingly a routine part of high quality healthcare delivery, and are being used regularly to help hearts to beat, ears to hear, drugs to be delivered, nerves to be stimulated, and more every day. By leveraging the energy sector's decade-long progress, we can give the healthcare eco-system the best chance to live up to the Hippocratic Oath: First, do no harm," says Marc Probst, CIO of InterMountain Healthcare
So what did the energy sector do 15 years ago when they realized their industrial control systems (ICS) were easily attackable? After some years of quiet contemplation and discussion of the reality of such future attacks, they launched a multistep process to 1) identify the most at risk devices in the field, 2) work to replace them with newer, more secure devices, and 3) build out industry-wide standards on how best to develop and deploy secure ICS across their ecosystem. It is these resultant standards, worked on by many and brought forth by the International Society of Automation and known as ISA-99, that can help the medical device ecosystem just like it has helped in Energy and other sectors.
While it may seem odd to view the security of a medical device in the same way you do a valve on an oil rig, the advantages to everyone are enormous.
• Lower risk for the patients, device manufactures, and healthcare providers
• Faster implementation of improved security
• Trusted ICS workforces to lead the change
• Better sharing of security information
• Leverage of Homeland Security (DHS)'s ICS-CERT
• Easier regulatory compliance
• Greater confidence by all
Treating medical devices like ICSs and applying the ISA-99 standards and other lessons learned from a decade of protecting energy-centric devices allows us to more securely develop, test, deploy and document the entire life sciences ecosystem. This will improve corporate cooperation, foster greater innovation, and support the use of medical devices in the most trusted and efficient manner. And most importantly, it will give patients the real assurance that these devices will 'do no harm.'
The FDA's June 13th guidance is just that today, guidance. While not yet regulation, it behooves all the players -- manufacturers to providers-- to move swiftly, urgently, collectively, and with a methodical process that gives everyone the best chance to succeed. The good news is there is now an available blueprint for that success.
Tom Patterson is the author of Mapping Security, and is a globally recognized security expert, having worked on security and critical infrastructure protection for three decades. Tom currently serves as the Director of CSC's Global Cybersecurity Consulting division.