President's Message: FDA Applying Systems of Systems Approach to Deal with Cybersecurity for Medical Devices and Healthcare

I recently attended a webcast hosted by the Food and Drug Administration (FDA) to address cybersecurity for medical devices and healthcare.  It was a call to action to engage medical device manufacturers, healthcare organizations, the FDA and other government agencies, such as the Department of Homeland Security (DHS) to address the advanced and persistent cyber threats to systems.  Cybersecurity is fundamentally a people problem which is enabled by technology, people are responsible for initiating attacks and the internet of everything is exploited to facilitate these attacks.

The FDA regulates medical devices but there are over 100,000 medical devices, so there is expectation that manufacturers are assessing risk and taking control measures.  The FDA does not regulate the healthcare providers which represents a vast spectrum from national institutions like the Veteran's Administration Hospital to individual doctors.  This is one of the pain points identified for systems of systems, no central authority.  The FDA strategy is to foster collaboration in order to address the vulnerability posed by cybersecurity. This affects medical devices as well as healthcare providers and any breach to these systems could lead to an attack on other systems which is why DHS is engaged.

The systems of systems’ need for inter-operability drives requirements for inter-connectivity which exposes cybersecurity vulnerabilities.  Inter-operability improves efficiency to provide healthcare which improves patient care but also boils down to economics.  This is a tradeoff between information access and security.

The National Institute of Standards and Technology (NIST) defined a framework for improving cybersecurity.  A core element of the framework is the identification of the risk.  The risk assessment considers the interfaces of the constituent systems in the risk environment.  This is challenging because as previously stated healthcare providers represent a vast spectrum which inter-connect systems in variety of ways.  Also, some medical devices are classified as legacy devices because they have a long service life and may lack security features. When these legacy devices are interfaced with other systems they present a vulnerability to the systems of systems.  Another core element of the framework is detection of an attack.  Detection is always after the fact so focus is on remediation.  The reporting of attack is an interface that needs to develop in order to share the information and reduce the risk to other systems.  A common model to bridge organizational barriers, sectors and address concerns about reputation, liability and intellectual property needs to be defined.

An element of the discussion that I found particularly interesting is the human aspect.  While there is the obvious human aspect of the hackers who initiate the attack, the healthcare providers are hackers in their own right.  The healthcare providers' priority is to patient care and they are resilient at devising workarounds to use the systems at their disposal.  Additionally, availability of systems to provide care trumps security, so even if vulnerability is detected but the system can continue to satisfy its intended use, it will be used.

Throughout the two day webcast attended by a large diverse community the theme of systems of systems was repeated.  Cybersecurity is a multi-faceted wicked problem covering economics, technology, human factors, political, physics and math.  Numerous constituent systems are involved.  It requires systems thinking.  The FDA is facilitating a collaborative environment to provide leadership in solving these issues.  The mission of the FDA is to ensure that medical devices are safe and effective and to ensure security going forward.

By Rollie Olson

INCOSE SFBAC President 

Rollie Olson's Bio