HIMSS 2017: FDA's Carmody Says Regulators, Industry Must "Mature Together"

The main goal, he said, was not merely insuring compliance to regulation, but instead insuring actual security.

Speaking at the HIMSS 2017 conference in Orlando, Florida, today, Seth Carmody, a US Food and Drug Administration Cybersecurity Project Manager, gave something of a state-of-security address for the health IT industry, emphasizing the need for collaboration and looking to dispel myths about what companies can and can’t do to respond to threats.

The main goal, he said, was not ensuring compliance to regulation, but instead ensuring security.

While the FDA and manufacturers alike may prioritize product and data safety as it relates to devices’ intended uses, he called for continually intensifying attention to adversarial misuse and exploitation. While direct patient harm is the most blatant concern for the safety of medical devices, the risks of compromised PHI must also be faced down. Third party components are a complicating factor: many devices and systems use them, but the company delivering the final product is responsible for any risks associated with them.

Margie Zuk of MITRE, speaking immediately after Carmody, repeated a need for transparency about potentially compromising weaknesses in third party components. She noted that Phillips had previously committed to publishing their full Bill of Materials, and hoped other companies would follow suit.

Carmody and his team’s primary efforts stem from Executive Order 1636 (Improving Critical Infrastructure Cybersecurity), issued by the Obama administration in 2013 to stress the need for reactive interagency cooperation to find threats and disseminate them to the industry in real time.

“We’re maturing,” Carmody said of the fight to ensure postmarket security, “we just got started in 2013, so some sectors may have had a 15 or 20 years head start.”

Much of their work, aside from issuing guidelines, is sharing responsibility for risk, addressing threats at the design level, and articulating manufacturer culpability for weaknesses, potentially tying that to legislation. “Let’s mature together,” he suggested.

Carmody sought to clarify a few industry “myths,” particularly the notion that manufacturers are not allowed to alter their devices without requiring re-certification. With some exceptions, he said, their policy since 2005 has been to allow tweaks solely designed for security without demanding pre-market review from the FDA. He essentially hinted that many manufacturers, or at least some of their representatives on the sales side, use the concept of strict review as an excuse to avoid the often-expensive process of adaptation.

He noted that the agency had widened the scope of their 30-day remediation timeframe for patches and solutions to include a tier for 60-day remediation, but that they wanted that number to come down.

Zuk, for her part, spoke of a wide variety of needs that still need to be addressed in the industry. MITRE is a federally funded non-profit that runs a series of research and development operations to assist agencies and companies with shoring up deficiencies. Both she and Carmody mentioned that hospitals themselves become responsible for problems with unsecure devices once they are in their facilities, further establishing a need for the conversation to include all members of the industry. “We need the big organizations to help the small organizations, because this is a big lift,” she said, referring to healthcare systems, “in order for the ecosystem to work we need to come up with creative solutions that can be used by all members of that ecosystem.”

Zuk noted that the Healthcare Industry Cybersecurity Task Force, a project of the Department of Health and Human Services, was meeting at HIMSS and wrapping up a report that they are set to deliver to Congress in the coming months.