The Ryan Report

Hello! Welcome to this week's Ryan Report. Today, I will discuss Dave Muoio's article on securing legacy medical devices. As he states in the title, securing the current install base (AKA legacy) of medical devices at a healthcare delivery organization is a daunting, but not optional challenge. New devices hitting the market are generally "better" at security than devices that have been around for years. Some healthcare devices such as imaging systems are run-to-fail and have been in use at a hospital for perhaps 20 years or longer. These systems were not designed for the modern cybersecurity threat landscape and present vulnerabilities that healthcare organizations must manage.  Muoio interviewed several industry experts on this topic, and there was a consensus on how to start managing the risks that legacy medical devices pose: identification of network-connected medical devices. This seems obvious, but is a challenge that every healthcare organization faces. Mo...

Hello! Welcome to this week's Ryan Report. Today, I will profile the FDA press release on their new draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This is an update to the FDA's 2014 premarket guidance, which provides recommendations to industry on cybersecurity considerations for device design, labeling and documentation that the FDA recommends to be included in premarket submissions for medical devices with cybersecurity risk. The guidance is meant for manufacturers in order to facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market. New recommendations include a cybersecurity bill of materials and the introduction of two tiers of devices: those that present high and standard cybersecurity risk. The bill of materials concept is one that is familiar in other industries, and its purpose is to hel...

Hello! Welcome to this week's Ryan Report. Today, I will discuss the safety alert released this week by the FDA for Medtronic implantable cardiac device programmers. Interestingly, this is only the thirteenth safety alert issued by the FDA in 2018 for medical devices, and the first as a result of cybersecurity considerations. The relative lack of cybersecurity capabilities of medical devices is well known in the healthcare security community, but perhaps this is the first instance of the year in which cyber vulnerabilities pose a realistic patient safety risk. The Medtronic programmers are used during implantation and regular follow-up visits for Medtronic implantable electrophysiology devices (CIEDs). CIEDs include pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. Physicians use the programmers to obtain device performance data, check battery status, and adjust device settings. Updates for the programmer are downloaded...

Hello! Welcome to this week's Ryan Report. Today, I will discuss the press release from the FDA describing the agency's efforts to strengthen their medical device cybersecurity program. Scott Gottlieb, the FDA commissioner, begins the statement with the sobering and very true proclamation that cyber threats pose a realistic danger to medical devices. The agency isn't aware of any attacks directly affecting a patient-connected medical device, but the risk is certainly there. Gottlieb announces the launch of a cybersecurity playbook for healthcare delivery organizations (HDOs, i.e. hospitals) that is focused on promoting cybersecurity readiness. Also, he announces the signing of two memoranda of understanding that provide for increased information sharing. Both the playbook and MOU are significant advancements to improve the cybersecurity of medical devices. HDOs have in recent years sought guidance from the FDA regarding the agency's position on securing computeri...