The Food and Drug Administration in recent draft guidance urges medical device makers to join a group that would allow them to share information on cyberthreats, but big questions remain about what the structure of such a group — called an information sharing analysis organization, or ISAO — would be.
The draft, released last month, outlines recommendations to help manufacturers manage vulnerabilities of their devices once they hit the market. If device makers participate in an ISAO and meet a few other requirements, they wouldn’t have to undergo corrective actions, like a recall, if they uncover certain kinds of online vulnerabilities in their products.
Only a year ago, the president issued an executive order encouraging the development of ISAOs to promote collaboration between the public and private sectors. The contract to the research organization that is writing a set of guidelines and best practices for ISAOs was only awarded last fall — leaving major questions unanswered as yet. Those big gaps are posing “probably the biggest challenge for us,” said Dr. Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, last week at the Atlantic Council’s Cyber Statecraft Initiative.
Currently, the agency is taking feedback on what characteristics such an ISAO for medical devices should have and recently held an industry day to garner comments as well, she said.
[Read more: FDA wants input on medical device cybersecurity]
“This is an opportunity that we see at the agency to really jump in and have the community help us define it for health care and public health, for our sector, in a way that’s going to work,” she said.
Indeed, Axel Wirth, distinguished technical architect for U.S. health care industry at Symantec, told FedScoop different types of medical devices face different risks. For example, malfunctions of pacemakers and implantable devices could directly cause a patient harm, but if a bad actor exploits vulnerabilities in X-ray or ultrasound imaging equipment, it may only stymie a hospital’s ability to deliver care, he said.
Because of these differences, hypothetically, a group of ISAOs could address different sectors of medical devices.
“We have about 8,000 medical device manufactures in the U.S.,” he said. “It would probably be unrealistic to assume that they would participate in one ISAO. The devices are so different and the [company] sizes are so different.”
At the same time, more isn’t always better: He said that having too many ISAOs dilutes their effectiveness.
“There is a risk that this will not be planned and you’ll see people come out of the woodwork and declare their own ISAOs and do their own thing,” he said. “Hopefully that does not happen because I think it would create more disturbance and chaos than it would help to provide clarity.”
But he said that “the regulatory carrot is there” —— in the draft guidance — to encourage device manufacturers to join up.
The draft guidance says that FDA has entered into a memorandum of understanding with the National Health Information Sharing & Analysis Center, or NH-ISAC, “to assist in the creation of an environment that fosters stakeholder collaboration and communication” around the security of medical devices. ISACs, which have been around since 1998, are like the original ISAOs, but are built specifically for particular critical industrial sectors, like health care, financial services or oil and gas.
Already, some device manufacturers have started joining information sharing groups like NH-ISAC, according to Russell Jones, partner in Deloitte’s Cyber Risk Services. But he said others are holding back because of concerns about regulatory or reputational issues.
“There are concerns out there about thing out there such as — well, if I share this vulnerability information, what’s to stop the FDA from opening an investigation about me?” he said. “Or if I share this vulnerability information and all the circumstances surrounding it,” how does the information get anonymized? He said that NH-ISAC is working group to help address these concerns.
NH-ISAC President Denise Anderson said the FDA seemed to want her group to fill the medical device ISAO role. Already, her organization already has a special medical device security section that includes device makers as well as hospital systems that use the devices.
“I would hope … our government partners, in recognition with their partnership with the ISAC, [would say that] this is the place to go,” Anderson said. But she said it’s incumbent upon industry to tell government that’s what they want.
She said her organization’s membership is growing rapidly, particularly in the device maker arena. But Anderson, who previously served as vice president of the Financial Services ISAC, added members of the health industry may not always grasp why information sharing is important.
Education, she said, is key.
“We are our own worst enemy,” she said. “And if we don’t get together and share with each other and work with each other — the bad guys are doing it — it’s to our detriment.”
In the meantime, FDA is taking comments on the draft guidance through April 21.
“It will be interesting to see the collective comments to the document will be,“ Wirth said. He added, “I think it’s going to be an interesting spectrum.”