Tuesday, January 10, 2017

FDA’s Role in Ensuring Medical Device Security Under Review

Q&A with OIG’s IT Audit Director Jarvis Rodgers Reveals What They’re Looking for and Why

By Nikki McDonald

Nobody likes to hear they’re about to be audited. Not even when the subject of the government audit is the government itself. But auditors provide necessary independent and objective oversight that helps keep both individuals and federal agencies honest—and safe.

As IT Audit Director for the Office of Inspector General (OIG)’s Office of Audit Services within the Department of Health and Human Services (HHS), Jarvis Rodgers is charged with ensuring agencies are good stewards of tax payer dollars, a big job when you look at the HHS’s vast mission and budget, which totals more than $1 trillion.

The HHS leads a number of important IT initiatives—such as electronic health records, medical device security, and genomic data storage—that impact all Americans. These projects and issues cut across over 100 programs operated by the different agencies within HHS, including Indian Health Service, which is responsible for providing health services to the 567 federally recognized tribes of American Indians and Alaska Natives and directly operates 28 acute-care hospitals; the Centers for Medicaid and Medicare Services, which funds healthcare for tens of millions; and the Food and Drug Administration, which is responsible for ensuring the safety, efficacy, and security of, among other things, medical devices.

The OIG announced that in 2017 it will be reviewing FDA’s role in ensuring the safety and effectiveness of networked medical devices. In this interview with Jarvis Rodgers, we asked him why the FDA review is a priority this year, what he looks for when conducting an audit, and what he thinks are the key security issues facing medical device manufacturers right now.

When your group performs an IT audit, who are you auditing and what are you trying to discover?

We conduct independent IT audits of HHS programs, grantees, and/or contractors. Our audit objectives typically vary, hence what we’re trying to “discover” will also vary. With that said, there are internal and general controls that transcend audit objectives. When auditing (IT, accounting, or performance) we are consistently assessing the stability and strength of the “control environment.” The control environment is the foundation for an internal control system and provides the discipline and structure to help an entity achieve its objectives.

When performing an after-action report of any process anomaly, the first areas an auditor or examiner will attempt to discover are the risk assessment(s) and internal controls: policies, processes, standard operating procedures, defined roles and responsibilities, etc. These controls help inform an auditor and provide a roadmap to discover where the internal control failure occurred. Whether the issue is national security or medical device security, the roadmap to discover the root cause typically remains the same. Auditors frequently find when there are lapses in response times and process failures that the culprit is ineffective internal controls and inadequate risk assessments.

The importance of internal controls should not be misconstrued, auditors are not seeking documentation for the sake of documentation. There is consensus: in a mature and highly effective environment, internal controls are indistinguishable from day-to-day activities personnel perform. For those who are unfamiliar with internal controls and the importance of a strong control environment, I highly encourage reading the Government Accountability Office Greenbook.

What is a penetration test and why do you do them?

Penetration tests are a valuable tool in OIG’s IT Audit portfolio. They’re intended to identify vulnerabilities and security flaws in systems, devices, and controls that are in place to protect data and critical resources. This type of information security testing attempts to simulate attacks that are either internal (typically from employees) to an organization’s computer network or outside (e.g., state sponsors).

Do people tend to panic when they find out you’re going to audit them? Like when the IRS decides to pay a visit?

Reactions of auditees do tend to vary. My advice is: although we are independent, it’s important to remember that we’re all on the same team! We’re ultimately trying to achieve the same goal; in many cases, those aims are an effective and efficient system/business process. Audits tend to go south when the auditee is adversarial, dismissive, and lacks transparency. Remember—auditors are people too! When auditees work with the audit team the final audit report can benefit all parties, and it’s more effective, relevant, and timely.

In the HHS Office of Inspector General’s fiscal 2017 work plan, your agency announced that it plans to review FDA’s role in “ensuring and monitoring the safety and effectiveness of networked medical devices.” Why is this a priority for 2017?

Security of the Internet of Things (IoT), and specifically medical devices, is an emerging issue and a growing concern for our stakeholders. Full disclosure, I do not watch Homeland; however, I am aware that in Season 2 Vice President Walden’s pacemaker was hacked and, although fictitious, this was a game changer for medical device security. People all over the world now wondered—can my device be hacked? In everyday conversations, I’ve met people who believe this actually happened—they believe the Vice President’s pacemaker was hacked—and no, they don’t wear strainer helmets with aluminum foil antennas.

The public concern over the security of medical devices is very real. OIG must have a role, and we can add value. We recognize that patching or enhancing the security of a medical device presents unique challenges. Changing a device could present unforeseen, and even catastrophic, consequences. Should a medical device be impenetrable? How much security is enough? Answering these questions is where risk assessments become important. We encourage manufacturers to consider the risk of each device and make informed decisions using a risk-based approach.

For fiscal year 2017, OIG has decided to focus on preparation (pre-market) and response planning (post-market). We believe our evaluation (pre-market) and audit (post-market) work will assist in answering two fundamental questions: 1. How is FDA ensuring that manufacturers are building in security and assessing the device’s cybersecurity risks prior to FDA-approval or clearance? and 2. Once a cybersecurity vulnerability has been identified, what plans and processes does FDA have in place to respond efficiently and timely?

What are the key security issues manufacturers face both pre-market and post-market?

Pre-market and post-market present unique challenges for FDA and manufacturers. In our pre-market work, we will examine how FDA reviews the cybersecurity of networked devices before the devices are cleared or approved. FDA has finalized the pre-market guidance; our work will focus on how FDA assesses the cybersecurity information that manufacturers include when seeking device clearance/approval.

Our post-market work will focus on FDA’s internal processes (internal controls) to timely and effectively respond to a medical device compromise, specifically a cybersecurity vulnerability. Our work will not focus on the “nuts and bolts” of specific medical devices, but rather the processes and procedures FDA has in place to respond to a medical device compromise.

What would you say are the biggest security issues facing medical device manufacturers today? Why?

I believe one of the largest hurdles facing any emerging issue is first recognizing that a new risk has presented itself and change is on the horizon. Those in the medical device community must begin to ensure that water-cooler talk about the risk within medical devices makes its way into the boardroom and ultimately the culture of the organization. Device manufacturers have to examine: How can we design our devices so that they’re secure, and still user-friendly, while also delivering care safely and in a timely manner?

Manufacturers should first conduct a risk assessment and ask: Do we have a documented and repeatable process in place to timely and effectively respond to a medical device compromise? Specifically, a cybersecurity compromise? How would our cybersecurity response differ from our response to a more traditional event, such as a faulty battery? Importantly, are we adequately prepared to deal with a reported cybersecurity vulnerability in our medical devices?

You’re participating on a panel at the Medical Device Security 101 Conference where you’ll be talking about federal policies for medical device cybersecurity with Chantal Worzala, director of policy of the American Hospital Association, and Iliana Peters, senior advisor, HIPAA Compliance and Enforcement, HHS Office for Civil Rights. What specific issues do you think you’ll be discussing or debating?

I hope to discuss how our roles and responsibilities complement one another in ensuring a timely and effective response to a medical device cybersecurity compromise.

Are there any other sessions at the conference you’re interested in attending yourself?

There are a number of great topics and experts. The two sessions I am most interested in are Principles for Medical Device Security-Risk Management; and How to Set up a Medical Device Security Program for Manufacturers. As I have mentioned in a number of responses, the first step to an effective program is appropriately assessing risk and the next step is standing up a program with strong controls, based on a solid risk assessment. I’m excited to hear what Geoffrey Pascoe and Bill Aerts have to say. 

Stay informed on medical device security news and events by signing up for the Archimedes monthly newsletter or by following us on Twitter.

Email archimedes@umich.edu to learn how to become a supporting member of the Archimedes Center for Medical Device Security.

Tuesday, November 22, 2016

How to Make Medical Devices More Secure

Q&A with Medtronic’s Retired Director of Product Security Bill Aerts

By Nikki McDonald

Former Medtronic Director of Product Security Bill Aerts took some time recently to discuss the new security challenges arising from the IoT of medical devices, how to put together a strong security program, and the current state of medical device security (and how we can fix it). 

Aerts will be hosting a training session on How to Set up a Medical Device Security Program for Manufacturers at the Archimedes Medical Device Security 101 Conference this January. 

Describe your experience in the medical device security field and how it’s led to the work you’re doing now.

I’ve had the opportunity to start and develop IT security programs at a number of large companies over my career, including the program at Medtronic. As time moved on, it was clear that the products and services that Medtronic sells had some of the same IT security challenges, as well as many unique challenges and situations.

As my wife has benefitted from many heart devices, I’ve always been very interested in making sure that products are secure, so I jumped at the opportunity to build a medical device security program at Medtronic. It has been a great experience and the program is really having an impact.

More recently, I realized that 30+ years working in large corporations was enough, and that I wanted to try something new, so I retired from Medtronic. Now, I’m excited about any kind of work I can do in this field to help all of the players in the medical device security industry create better and more secure products. There is so much opportunity and challenge ahead.

As more medical devices have become wirelessly connected, what new security challenges have arisen?

The list is long: asset management is difficult because of the wide variety of vendors and unique devices connected to a hospital network...protecting the storage and use of personal information as it is sent anywhere in the world...lack of physical control over the device.

Secure communications, including authentication and encryption, is also a real challenge. Being connected to the Internet is an even higher risk for medical devices than for a typical laptop or mobile device. It will be difficult to secure IOT devices as they multiply.

How serious is the risk to patients?

Real security risk does exist in connected medical devices, especially in older ones. Any security risk needs to be taken very seriously to protect patient safety, but the key question to me is always, “Does the therapy that the device provides outweigh the risk of a security problem?”

In the majority of current cases, the risk is relatively low, and the benefit is very high. That said, there are too many devices out there that have poor security and they need to be addressed as quickly as possible. The risk to patients is growing quickly as more connected devices are used, and the IOT becomes full of medical related “things.”

What can medical device manufacturers do to create more secure products?

They need to build a program around device security and have strong commitment from the top, as well as assignment of accountability. This may require that they find or buy more expertise on security, specifically in medical devices.

Manufacturers need to leverage new security technologies and build security into the development of new products from the beginning. As part of this process, they must engage heavily with their healthcare customers to really understand what needs to be improved with their products, and then support the security functions in their products when they’re in the field.

What are the key components of a strong security program for device manufacturers?

A successful security program should have strong leadership and governance, security built into the entire product lifecycle, training and education on security for those people developing products, independent assessment and security testing in products, a repeatable coordinated response capability, and heavy engagement with the communities outside of the company, including patients, providers, researchers, regulatory agencies, industry groups, and the press.

What are some of the common struggles manufacturers have in implementing a security program?

One of the biggest issues many face is simply getting the support and funding they need from leaders to build a new capability and hiring the right people to do it. Manufacturers have to educate engineers about the real threats that exist for these products and secure their understanding and support as well. To get a security program in place, it’s essential to bring together IT people with R&D engineering people and help them understand that they need each other to take on this challenge.

It can also be difficult to find the right expertise from inside or outside the company and to get Legal and Regulatory onboard without being too cautious and slowing things down.

What can manufacturers do to overcome these issues?

Gaining support from executive leadership, including the BOD, is essential. Sell it to them based on patient safety, regulatory requirements, and requirements coming from the healthcare customers that are buying the products. Provide training/education on the risks and remedies done by outside expert groups. Invite Legal and Regulatory into the discussion early, and expose them to what the industry and other competitors are doing. Put deliberate effort into bringing the IT experts together with the engineering experts in order for them to learn each other’s language and build productive relationships. If needed, have security assessments done on core legacy products to be sure there is good understanding of the risks.

St. Jude Medical was in the news recently when a report indicated that their pacemakers could be hacked and Johnson & Johnson recently released a warning that their insulin pumps could be vulnerable to hackers. How widespread is this problem? What is the state of medical device security today?

We know there are large numbers of devices out there right now that are not secure. There will be more events like these recent examples in the future, and they could involve any manufacturer or connected device. Many of the devices in use today were designed years ago when the only requirement was patient safety.

A lot has been accomplished in the last three to four years by manufacturers, healthcare providers, and regulators, as well as security researchers working with the community to help improve security. I hope we’ll see the benefit of that collaboration in the next few years as newer, more secure devices are rolled out. In the meantime, we need to put mitigations in place, and continue to measure security risk against therapy benefit.

You’re teaching at the Medical Device Security 101 Conference this January. Who do you think should attend and what are the most important things they’ll learn?

My session will be on building a strong medical device security program. I believe that anyone who has or desires responsibility to ensure their medical devices are safe and secure would have great interest in this, regardless of how big or small their company is, or how new or mature their program is.

They will learn about the importance of taking a programmatic approach, getting executive support and creating governance, integrating security into the product development process, engaging the right people, coordinated response, and the importance of being connected within the industry, among other topics.


The Medical Device Security 101 Conference takes place January 15-17, 2017 at Disney’s Yacht & Beach Club Resorts in Lake Buena Vista, Florida. Register today to get access to over 20 expert speakers at this highly selective event attended by medical device manufacturers and healthcare delivery organizations.

Email archimedes@umich.edu to learn about individual discounts or group rates. 

Professor to Congress: 'Internet of Things security is woefully inadequate'

From: Nicole Casal Moore
Michigan Engineering

As the Internet of Things grows around us, so do the threat of cybersecurity breaches severe enough to shut down hospitals and other vital infrastructure, a Michigan Engineering professor told federal lawmakers this week.

Kevin Fu, associate professor of computer science and engineering, and director of the Archimedes Center for Medical Device Security, was one of several experts who called for federal security regulation of the Internet of Things (IoT). He spoke to the House Energy and Commerce Committee at the Nov. 16 hearing, “Understanding the Role of Connected Devices in Recent Cyber Attacks.”

On Oct. 21, many high-traffic sites including Paypal, Twitter, Amazon and Netflix went down for several hours due to an IoT-powered attack on web service provider Dyn. Hackers carried out the attack by taking advantage of vulnerabilities in connected consumer devices like webcams and digital video recorders—perhaps millions of them.

While the consequences of the Dyn breach were not major, Fu warned that it demonstrates a gaping security hole as more and more consumer technologies—appliances, thermostats, cars, airplanes, and medical devices—become connected.

"I fear for the day every hospital system is down," CNN quoted him as saying. “This will require some kind of governmental mandate."

Companies don’t have enough incentive to do it on their own, he argued.

"We are in this sorry and deteriorating state because there's almost no cost for a manufacturer to deploy products with poor cybersecurity,” CIO quotes him as saying.

He called on a variety of sectors to help put safeguards in place.

“Universities, industry and government must find the strength and resolve to invest in embedded cybersecurity with interdisciplinary science and engineering, industrial partnerships for research and education, and service to the nation," he said.

Read Fu’s full testimony or watch a video of the hearing at the E&C committee websites of the Republican majority or the Democrat minority.

U-M’s Archimedes Center for Medical Device Security offers a Medical Security 101 training for healthcare organizations, device manufacturers, and regulators in Orlando Jan. 15-17, 2017. The center is a multidisciplinary team of medical and computer science experts who focus on research, education and on advising industry leaders on methods for improving medical device security.

Ensuring the security of our society is a top priority for the U-M College of Engineering's transformational campaign currently underway. Find out more about supporting the security of our future in the Victors for Michigan campaign.