Yesterday, Dr. Suzanne Schwartz released a blog to update us on the FDA’s role in medical device cybersecurity.
Cybersecurity risks in medical devices are nothing new. As far back as 2012, Sonatype published warnings of security risks in pacemakers that could lead to lethal attacks. Last year, Johnson & Johnson warned of cyber vulnerabilities in their insulin pumps. More recently, our 2017 State of the Software Supply Chain Report shared details of pacemaker programming machines that were discovered to have over 8000 known software vulnerabilities (see page 37).
When it comes to software in medical and other devices, cybersecurity will be a constant threat requiring constant vigilance. The encouraging guidance I read from the FDA blog was that cybersecurity should not be limited to devices already on the market, but that security needs build in throughout the product lifecycle. Dr. Schwartz remarked:
“It is the goal of FDA’s Center for Devices and Radiological Health to encourage a coordinated approach of vigilance, responsiveness, resilience, and recovery that fits our culture of continuous quality improvement.
“This means taking a total product lifecycle approach, starting at the product design phase when we build in security to help foil potential risks, followed by having a plan in place for managing any risks that might emerge, and planning for how to reduce the likelihood of future risks.”
In these two brief statements, Dr. Schwartz shares views that are common in many of today’s DevSecOps conversations. Perhaps she has been listening in?
The first view is that we need to “emphasize the performance of the entire system and never pass a defect downstream” (Gene Kim’s first way of DevOps). Schwartz recommends that device manufacturers start by building security in at the earliest stages of the development lifecycle. Security cannot be an afterthought.
Dr. Schwartz also recognizes that even when precautions are taken early in the lifecycle, that risks can emerge over time as new vulnerabilities are discovered. When it comes to device security, vigilance must be continuous across the development lifecycle and over the product’s life in the market. As we have said for years, software ages like milk, not wine. Constant vigilance improves our ability to identify risks, initiate feedback to development teams, and remediate issues in the device’s software. The faster we can address risks when they appear, the safer we can make the lives of consumers who rely on them.
I applaud the FDA’s guidance and its proactive stance here to work with device manufactures. What we don’t want is a knee-jerk reaction to medical device security after someone has died. What we need is for security to be ingrained in the planning, design, production, and maintenance of medical devices our families rely upon.