The FDA regulates
medical devices but there are over 100,000 medical devices, so there is
expectation that manufacturers are assessing risk and taking control measures. The FDA does not regulate the healthcare
providers which represents a vast spectrum from national institutions like the
Veteran's Administration Hospital to individual doctors. This is one of the pain points identified for
systems of systems, no central authority.
The FDA strategy is to foster collaboration in order to address the vulnerability
posed by cybersecurity. This affects medical devices as well as healthcare
providers and any breach to these systems could lead to an attack on other
systems which is why DHS is engaged.
The systems
of systems’ need for inter-operability drives requirements for
inter-connectivity which exposes cybersecurity vulnerabilities. Inter-operability improves efficiency to
provide healthcare which improves patient care but also boils down to
economics. This is a tradeoff between
information access and security.
The National
Institute of Standards and Technology (NIST) defined a framework for improving
cybersecurity. A core element of the
framework is the identification of the risk.
The risk assessment considers the interfaces of the constituent systems
in the risk environment. This is
challenging because as previously stated healthcare providers represent a vast
spectrum which inter-connect systems in variety of ways. Also, some medical devices are classified as
legacy devices because they have a long service life and may lack security
features. When these legacy devices are interfaced with other systems they present
a vulnerability to the systems of systems.
Another core element of the framework is detection of an attack. Detection is always after the fact so focus
is on remediation. The reporting of
attack is an interface that needs to develop in order to share the information
and reduce the risk to other systems. A
common model to bridge organizational barriers, sectors and address concerns
about reputation, liability and intellectual property needs to be defined.
An element of
the discussion that I found particularly interesting is the human aspect. While there is the obvious human aspect of
the hackers who initiate the attack, the healthcare providers are hackers in
their own right. The healthcare providers'
priority is to patient care and they are resilient at devising workarounds to
use the systems at their disposal.
Additionally, availability of systems to provide care trumps security,
so even if vulnerability is detected but the system can continue to satisfy its
intended use, it will be used.
Throughout
the two day webcast attended by a large diverse community the theme of systems
of systems was repeated. Cybersecurity
is a multi-faceted wicked problem covering economics, technology, human factors,
political, physics and math. Numerous
constituent systems are involved. It
requires systems thinking. The FDA is
facilitating a collaborative environment to provide leadership in solving these
issues. The mission of the FDA is to
ensure that medical devices are safe and effective and to ensure security going
forward.
By Rollie
Olson
INCOSE SFBAC President