Control Compliance Suite

 View Only

"The Time Is Ripe to Stop Admiring the Problem" 

Oct 23, 2014 06:15 PM

Like with my previous post on this topic, I am using a quote from one of the presenters to report on Day 2 of the public FDA workshop on “Collaborative Approaches for Medical Device and Healthcare Cybersecurity”. And like with my previous post, this quote is a good indicator of the spirit of the day. It is time to moveand we are.

It was reported that the workshop had 200 registrants, requiring the creation of an overflow room, and that Day 1 drew 1100 remote participants!

In his opening keynote Michael Daniel, Special Assistant to the president and White House Cybersecurity Coordinator, called cybersecurity one of the defining challenges of the 21st century and referred to it as a “wicked” problem (drawing applause from the Bostonians in the audience) due to its complex nature: technical, scientific, economical, political, and human. He pointed out that we don’t really understand the economics of cybersecurity and that, since Target and Home Depot, this is now a very public and well known problem. But as individuals we are not good at rationally thinking about risk and make the right decisions. He left the audience with two thoughts to ponder: What is the cost of good security? What is the cost of bad security?

Summarizing the key discussions from Day 2:

  • Look at existing frameworks, standards, and initiatives that could be used, with modification and healthcare adaptation, as a blueprint, baseline, or solutions path. Examples:
    - NIST Critical Infrastructure Cybersecurity Framework
    - Library of STIGs (Security Technical Implementation Guides
    - DHS C³ Program (Critical Infrastructure Cyber Community)
    - CSET (Cyber Security Evaluation Tool)
    - BSIMM (Building Security In Maturity Model)
    - CWE (Common Weakness Enumeration / Top 25 Dangerous Software Errors)
  • Develop the concept of commonly used building blocks with a attached degree of assurance; reference architectures; integration frameworks; and commonly used descriptors for threats and vulnerabilities.
  • There is a clear cost vs. risk tradeoff. Businesses are very adapt in making these decisions, but may lack the model specific to cyber risks. We need to produce meaningful continuity and visibility from the technical and device level to the business and boardroom level.
  • But complexity could become the enemy; a prudent approach is the preferred path. How do we scale down so this becomes practical for small hospitals and small companies? (70% of medical device companies in the US have fewer than 10 employees).
  • Sharing will be keyone organization’s attack will be another organization’s defense. It is a collective problem, the airline industry was mentioned as an example: if one plane crashes, customers will make decisions about air travel and all will see their business impacted. Reporting should be incentivized; the “Cybersecurity Information-Sharing Tax Credit Bill” was mentioned as an example.
  • Also, reporting of incidents (real or research) is key. Cybersecurity incidents should be reported just like patient safety incidents. Manufacturers need to be open to feedback, e.g. provide an email address for security researchers and customers to use for reporting.
  • Manufacturers reported that some are looking at security the same as safety and are treating malicious activity the same as any other failure mode within their hazard analysis and quality systems processes.
  • Several discussions on the differenceand often disconnectbetween IT and Biomedical engineering. Even though it may be a network, Biomedical priorities are always different (e.g. availability first). On the other side, many medical devices are too “brittle” from an IT perspective; e.g. do not withstand a basic port scan.
  • What could the path forward look like?  Communication is critical; we need to stay clear and focused; define the “its” (aka deliverables); and recognize the value of a two-pronged approach: easy and quick wins combined with long-term strategy. “Walk before you run”. We need definition of the ecosystem, stakeholder mapping (needs, gaps, contributions), and a systems approach to the problem.
  • Past, presence and future look quite different. The legacy device problem will be with us for a while and may require a different approach than devices being designed today. Future care delivery models may generate yet another set of challenges as we move towards “hospitals without walls” (home care, mHealth, etc.).

Mary Logan (President of AAMI) suggested an approach of system level thinking. Healthcare is complex, the problem is sociotechnical, we mix old and new products, make assumptions about how they will be used, and do so under disperse regulations. We have “no integrator, yet we integrate”.

In conclusion, this was an enlightening event and has laid the foundation for a new approach and path forward. Between more complex networks, increasing threats, and growing public concern, we can not afford to not solve the problem. And the “we” is all of us – regulators and government agencies, healthcare providers, manufacturers, and security experts. We can not assume that the vast vulnerabilities of our medical devices will not be exploited – to close with another and final quote: “Security based on the goodwill of strangers is not a good strategy”.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.