2017年 5月 24日
EMERGO SUMMARY OF KEY POINTS:
The US Food and Drug Administration’s latest workshop on medical device cybersecurity issues, held May 18 and 19, 2017, firmly established myriad challenges in mitigating this risk, and that no easy or quick fixes are yet available to help manufacturers and other stakeholders address these challenges.
That said, some speakers at the workshop discussed near- and longer-term projects underway that could go beyond current patchwork efforts and provide more robust and comprehensive cybersecurity safeguards. With the recent WannaCry randsomware attack on health systems in multiple countries still fresh on workshop attendees’ minds, the need for such projects was acute and demonstrable.
One such project, ISOSCELES (Intrinsically Secure, Open, and Safe Control of Essential Layers), is being developed by Minneapolis, Minn.-based Adventium Labs under an initiative by the US Department of Homeland Security to boost cybersecurity for critical technologies and systems.
Todd Carpenter, Chief Engineer at Adventium Labs, spoke at the workshop about ISOSCELES; the project aims to launch a medical device platform that meets all relevant FDA regulatory and security requirements, and that manufacturers can incorporate into their individual proprietary designs.
Carpenter explained that a key aspect of ISOSCELES will be to provide a layer of separation between a medical device’s medical-related core function and its components for networking with other devices and systems.
Another potential avenue to better address medical device cybersecurity was presented by Penny Chase, Information Technology and Cyber Security Integrator, and Steve Christey Coley, Principal Information Security Engineer at MITRE Corporation.
Chase and Christey Coley discussed efforts to utilize the Common Vulnerability Scoring System, or CVSS, a framework developed by the Forum of Incident Response and Security Teams (FIRST) to identify severity of software risks. Using CVSS, medical device manufacturers and healthcare providers may be able to prioritize cybersecurity risks and vulnerabilities they face and determine which vulnerabilities most critically require mitigation efforts, according to the MITRE officials.
The key benefit CVSS would bring to the medical device sector, argued Chase and Christey Coley, will be the ability for healthcare providers and practitioners to rank and act upon device security issues according to the level of risk each issue poses to users and patients; this more nuanced approach should help reduce the impact of cybersecurity risks without affecting devices’ treatment capabilities.
Work on both ISOSCELES and CVSS for medical devices and systems is ongoing; however, despite the perpetual moving target that is cybersecurity risk mitigation, the more comprehensive scope these projects are taking should provide more effective means for manufacturers, healthcare providers, regulators and patients to combat this ever-evolving problem.