Tuesday, January 10, 2017

FDA’s Role in Ensuring Medical Device Security Under Review

Q&A with OIG’s IT Audit Director Jarvis Rodgers Reveals What They’re Looking for and Why

By Nikki McDonald

Nobody likes to hear they’re about to be audited. Not even when the subject of the government audit is the government itself. But auditors provide necessary independent and objective oversight that helps keep both individuals and federal agencies honest—and safe.

As IT Audit Director for the Office of Inspector General (OIG)’s Office of Audit Services within the Department of Health and Human Services (HHS), Jarvis Rodgers is charged with ensuring agencies are good stewards of tax payer dollars, a big job when you look at the HHS’s vast mission and budget, which totals more than $1 trillion.

The HHS leads a number of important IT initiatives—such as electronic health records, medical device security, and genomic data storage—that impact all Americans. These projects and issues cut across over 100 programs operated by the different agencies within HHS, including Indian Health Service, which is responsible for providing health services to the 567 federally recognized tribes of American Indians and Alaska Natives and directly operates 28 acute-care hospitals; the Centers for Medicaid and Medicare Services, which funds healthcare for tens of millions; and the Food and Drug Administration, which is responsible for ensuring the safety, efficacy, and security of, among other things, medical devices.

The OIG announced that in 2017 it will be reviewing FDA’s role in ensuring the safety and effectiveness of networked medical devices. In this interview with Jarvis Rodgers, we asked him why the FDA review is a priority this year, what he looks for when conducting an audit, and what he thinks are the key security issues facing medical device manufacturers right now.

When your group performs an IT audit, who are you auditing and what are you trying to discover?

We conduct independent IT audits of HHS programs, grantees, and/or contractors. Our audit objectives typically vary, hence what we’re trying to “discover” will also vary. With that said, there are internal and general controls that transcend audit objectives. When auditing (IT, accounting, or performance) we are consistently assessing the stability and strength of the “control environment.” The control environment is the foundation for an internal control system and provides the discipline and structure to help an entity achieve its objectives.

When performing an after-action report of any process anomaly, the first areas an auditor or examiner will attempt to discover are the risk assessment(s) and internal controls: policies, processes, standard operating procedures, defined roles and responsibilities, etc. These controls help inform an auditor and provide a roadmap to discover where the internal control failure occurred. Whether the issue is national security or medical device security, the roadmap to discover the root cause typically remains the same. Auditors frequently find when there are lapses in response times and process failures that the culprit is ineffective internal controls and inadequate risk assessments.

The importance of internal controls should not be misconstrued, auditors are not seeking documentation for the sake of documentation. There is consensus: in a mature and highly effective environment, internal controls are indistinguishable from day-to-day activities personnel perform. For those who are unfamiliar with internal controls and the importance of a strong control environment, I highly encourage reading the Government Accountability Office Greenbook.

What is a penetration test and why do you do them?

Penetration tests are a valuable tool in OIG’s IT Audit portfolio. They’re intended to identify vulnerabilities and security flaws in systems, devices, and controls that are in place to protect data and critical resources. This type of information security testing attempts to simulate attacks that are either internal (typically from employees) to an organization’s computer network or outside (e.g., state sponsors).

Do people tend to panic when they find out you’re going to audit them? Like when the IRS decides to pay a visit?

Reactions of auditees do tend to vary. My advice is: although we are independent, it’s important to remember that we’re all on the same team! We’re ultimately trying to achieve the same goal; in many cases, those aims are an effective and efficient system/business process. Audits tend to go south when the auditee is adversarial, dismissive, and lacks transparency. Remember—auditors are people too! When auditees work with the audit team the final audit report can benefit all parties, and it’s more effective, relevant, and timely.

In the HHS Office of Inspector General’s fiscal 2017 work plan, your agency announced that it plans to review FDA’s role in “ensuring and monitoring the safety and effectiveness of networked medical devices.” Why is this a priority for 2017?

Security of the Internet of Things (IoT), and specifically medical devices, is an emerging issue and a growing concern for our stakeholders. Full disclosure, I do not watch Homeland; however, I am aware that in Season 2 Vice President Walden’s pacemaker was hacked and, although fictitious, this was a game changer for medical device security. People all over the world now wondered—can my device be hacked? In everyday conversations, I’ve met people who believe this actually happened—they believe the Vice President’s pacemaker was hacked—and no, they don’t wear strainer helmets with aluminum foil antennas.

The public concern over the security of medical devices is very real. OIG must have a role, and we can add value. We recognize that patching or enhancing the security of a medical device presents unique challenges. Changing a device could present unforeseen, and even catastrophic, consequences. Should a medical device be impenetrable? How much security is enough? Answering these questions is where risk assessments become important. We encourage manufacturers to consider the risk of each device and make informed decisions using a risk-based approach.

For fiscal year 2017, OIG has decided to focus on preparation (pre-market) and response planning (post-market). We believe our evaluation (pre-market) and audit (post-market) work will assist in answering two fundamental questions: 1. How is FDA ensuring that manufacturers are building in security and assessing the device’s cybersecurity risks prior to FDA-approval or clearance? and 2. Once a cybersecurity vulnerability has been identified, what plans and processes does FDA have in place to respond efficiently and timely?

What are the key security issues manufacturers face both pre-market and post-market?

Pre-market and post-market present unique challenges for FDA and manufacturers. In our pre-market work, we will examine how FDA reviews the cybersecurity of networked devices before the devices are cleared or approved. FDA has finalized the pre-market guidance; our work will focus on how FDA assesses the cybersecurity information that manufacturers include when seeking device clearance/approval.

Our post-market work will focus on FDA’s internal processes (internal controls) to timely and effectively respond to a medical device compromise, specifically a cybersecurity vulnerability. Our work will not focus on the “nuts and bolts” of specific medical devices, but rather the processes and procedures FDA has in place to respond to a medical device compromise.

What would you say are the biggest security issues facing medical device manufacturers today? Why?

I believe one of the largest hurdles facing any emerging issue is first recognizing that a new risk has presented itself and change is on the horizon. Those in the medical device community must begin to ensure that water-cooler talk about the risk within medical devices makes its way into the boardroom and ultimately the culture of the organization. Device manufacturers have to examine: How can we design our devices so that they’re secure, and still user-friendly, while also delivering care safely and in a timely manner?

Manufacturers should first conduct a risk assessment and ask: Do we have a documented and repeatable process in place to timely and effectively respond to a medical device compromise? Specifically, a cybersecurity compromise? How would our cybersecurity response differ from our response to a more traditional event, such as a faulty battery? Importantly, are we adequately prepared to deal with a reported cybersecurity vulnerability in our medical devices?

You’re participating on a panel at the Medical Device Security 101 Conference where you’ll be talking about federal policies for medical device cybersecurity with Chantal Worzala, director of policy of the American Hospital Association, and Iliana Peters, senior advisor, HIPAA Compliance and Enforcement, HHS Office for Civil Rights. What specific issues do you think you’ll be discussing or debating?

I hope to discuss how our roles and responsibilities complement one another in ensuring a timely and effective response to a medical device cybersecurity compromise.

Are there any other sessions at the conference you’re interested in attending yourself?

There are a number of great topics and experts. The two sessions I am most interested in are Principles for Medical Device Security-Risk Management; and How to Set up a Medical Device Security Program for Manufacturers. As I have mentioned in a number of responses, the first step to an effective program is appropriately assessing risk and the next step is standing up a program with strong controls, based on a solid risk assessment. I’m excited to hear what Geoffrey Pascoe and Bill Aerts have to say. 

Stay informed on medical device security news and events by signing up for the Archimedes monthly newsletter or by following us on Twitter.

Email archimedes@umich.edu to learn how to become a supporting member of the Archimedes Center for Medical Device Security.