CMS Takes Aim At Medical Device Cybersecurity – How To Ensure Continuous Medicare/Medicaid Coverage

By John Giantsidis, president, CyberActa, Inc.

Medical device cybersecurity risks are a constantly evolving threat to a device's ability to achieve its objectives and deliver its core functions. The FDA has been very clear that cybersecurity must be a part of medical device manufacturers' quality management systems, and the agency has set the need for static and dynamic code analysis, penetration testing, and other technology to manage medical device cybersecurity risk. Penetration testing is simply a point-in-time assessment against current, known security risks; security testing provides the most scientific value for yet unknown vulnerabilities when tied directly to design requirements and an explicit, refutable threat model and clinically relevant cybersecurity risks, rather than relying solely on unstructured searches for known vulnerabilities.

In its June 2021 report, the U.S. Department of Health and Human Services Office of Inspector General declared that Medicare lacks consistent oversight of cybersecurity for networked medical devices in hospitals.¹ The Centers for Medicare & Medicaid Services (CMS), which oversees the Medicare conditions of participation (CoPs) in order to receive Medicare payments, has acquiesced and is considering additional ways to highlight the importance of medical device cybersecurity, in conjunction with the FDA and the Office for Civil Rights (OCR).¹

The power of the Office of Inspector General is not to be dismissed. The OIG has previously examined FDA’s role in assessing the cybersecurity risk of medical devices in both premarket and post-market settings. A 2018 report found that the FDA had taken steps to address emerging cybersecurity concerns, including issuing guidance documents on medical device cybersecurity to FDA reviewers of devices and reviewing cybersecurity information in premarket submissions for networked medical devices.² However, the report also found that FDA could do more to integrate its assessment of cybersecurity for networked medical devices into its premarket review process.² OIG recommended that FDA promote the use of pre-submission meetings to address cybersecurity-related questions and include cybersecurity in tools that FDA reviewers use to facilitate their reviews of networked devices.² FDA concurred with and implemented these recommendations. Another report found that FDA's policies and procedures were insufficient for handling post-market events involving cybersecurity of medical devices.³ The report found that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events with medical devices. In addition, the report found that in two of 19 district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cybersecurity threats.³ OIG recommended that FDA assess cybersecurity risks to medical devices; enter into a formal agreement with federal partners; ensure creation of procedures for recalls of devices vulnerable to cybersecurity threats; and establish procedures for sharing information with key stakeholders about cybersecurity events.³ FDA concurred with the recommendations.

Just as with business risks, an organization can never remove every single medical device cybersecurity risk that its products may face. However, managers with executive responsibility must, first and foremost, ensure that patients are protected, and understand that security failings can result in significant long-term expense to the organization and can substantially damage consumer trust and brand reputation.

What can your organization do? Managers with executive responsibility need an accurate picture of their medical device’s cybersecurity posture. They also need to reassure themselves that they have up-to-date information on the known medical device security vulnerabilities and threats so they can make informed information risk decisions.

How To Develop A Framework For Managing Cybersecurity Risks

We need to put medical device cybersecurity on the agenda before it becomes the agenda, by incorporating cyber risks into existing medical device risk management and governance processes. It is important to understand that cybersecurity is NOT implementing a checklist of requirements;⁴ it is managing medical device cyber risks to an acceptable level. Managing medical device cybersecurity risk as part of an organization’s governance, risk management, and quality frameworks provides the strategic framework for managing cybersecurity risk throughout the development, manufacturing, and commercialization of a medical device. Managers with executive responsibility need to be asking the following probing questions:

• Do we understand how medical device cybersecurity affects our responsibilities?
  • Do we have enough expertise to understand the significance of medical device cybersecurity for our products and strategic objectives of our organization?
  • Who is responsible for our medical device cybersecurity?
  • Have we expressed in a clear enough manner the information that we need on medical device cybersecurity?
• Who is currently responsible for our medical device cybersecurity?
  • Is there a formal appointment?
  • How does this person keep in touch with us?
  • Do they participate in some other type of reporting process?
  • What are the person’s objectives and who sets them?
  • Do these objectives promote medical device cybersecurity in a manner that benefits the entire organization?
  • Is this person able to reach the necessary people to ensure the efficiency of our cybersecurity?
• What sort of medical device cybersecurity expertise does our organization need and what type of expertise do we already have?
  • What type of expertise does our organization need to manage its cyber risks?
  • Which tasks should we keep in-house and which should we outsource?
  • What kind of expertise should every staff member in our organization have on cybersecurity? How comprehensively and often should we train our staff on our security practices?
• What kind of plan does our organization have in place for the development of any missing areas of expertise?
  • Who is responsible for the development of cybersecurity expertise?
  • Is this development work based on a plan and who is/are responsible for its implementation?
  • Where can we find the people we need?
  • Do they work in our organization, or should we acquire the skills we need through outsourcing, for example?
• How is our organization informed of a security incident its medical devices have been subject to?
  • Are our thresholds for alerts set to the right level?
  • Are they low enough so that the right warning can be given in case any incidents are detected? Are they high enough so that the people who process them are not burdened with meaningless information?
• Do we know who is responsible for leading the response to a security incident and who has the authority to make decisions?
  • Who can make decisions and on which issues?

A Crisis Management Plan Is A Must-Have

Launching a medical device cybersecurity program is not a trivial task, and a successful program of this magnitude would need to have buy-in from decision makers and stakeholders. When making a business case for resourcing a medical device cybersecurity program, it’s important to ensure that the decision makers understand what’s required to implement and manage a successful program. Most of a program’s resources would generally be allocated across three areas:

• people
• process
• technology.

A company’s medical device cybersecurity team needs to have:

• a sufficient number of staff who are appropriately skilled. The composition of the team will vary depending on the company’s products and their complexity and risk profiles; and
• the resources to support the required medical device cybersecurity processes, such as conducting threat analyses and risk assessments and identifying and implementing appropriate controls.

In today’s market, there are numerous cybersecurity technologies that can facilitate the operation of a company’s medical device cybersecurity program. Automation, efficiency, and consistency are some of the benefits these technologies can provide.

A must-have while the medical device cybersecurity program is being designed, launched, and implemented is to immediately implement a crisis management plan that would enable the organization to lead, take, and maintain the initiative during the crisis and, if lost, to look for opportunities to regain it. Taking reasonable measures is almost always better than doing nothing, but it should be based on a previously agreed plan and preparation. It will be easier to take appropriate action in a short period of time (which is usually the case in such situations) if there is some kind of prior work than if there is not. In this way, nervousness or improvisation, which are all too common at this time, can be avoided.

Many organizations have drawn up crisis management plans, based on ISO 27001 and ISO 22301, that describe the tasks required to develop crisis management capability and to identify the main actions to be taken in response to a serious situation or a disaster. These plans usually include a crisis manual that serves as a reference framework to count on a script of actions being carried out in terms of continuity, contingency, communication, human resources, etc., with a clear assignment of responsibilities. These plans should be properly disseminated among the organization and its management through exercises or training sessions.

Conclusion

Cybersecurity is crucial for medical device safety and effectiveness. Without proper cybersecurity controls, hospitals’ networked medical devices can be compromised, which can lead to patient harm. The FDA considers cybersecurity for networked medical devices to be a responsibility shared among stakeholders, including FDA, device manufacturers, and healthcare providers. Right now, Medicare lacks consistent oversight of the cybersecurity of networked medical devices in hospitals. Soon, the Medicare conditions of participation will cover a cybersecurity evaluation of medical devices, and this will have a trickle-down effect on manufacturers, requiring them to offer medical devices with cybersecurity in mind. Otherwise, hospitals that use the devices may not be able to participate in Medicare/Medicaid.   

References

1. OIG, Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals, OEI-01-20-00220, June 2021
2. OIG, FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices (OEI-09- 16-00220), September 2018.
3. OIG, The Food and Drug Administration's Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices (A-18-16-30530), October 2018.
4. President’s Executive Order (EO) on Improving the Cybersecurity of the Federal Government (EO 14028)

About The Author:

John Giantsidis is the president of CyberActa, Inc, a boutique consultancy empowering medical device, digital health, and pharmaceutical companies in their cybersecurity, privacy, data integrity, risk, SaMD regulatory compliance, and commercialization endeavors. He is also a member of the Florida Bar’s Committee on Technology and a Cyber Aux with the U.S. Marine Corps. He holds a Bachelor of Science degree from Clark University, a Juris Doctor from the University of New Hampshire, and a Master of Engineering in Cybersecurity Policy and Compliance from The George Washington University. He can be reached at john.giantsidis@cyberacta.com.