“See something. Say something” is Homeland Security’s slogan and call to action, asking every citizen to report suspicious packages and activity.
In the world of cybersecurity, there has been no similar clearinghouse for sharing information about cybersecurity breaches and other suspicious activity involving medical devices.
The U.S. Food and Drug Administration (FDA) has officially executed a trilateral agreement between itself, the Sensato-Information Sharing and Analysis Organization (Sensato-ISAO) and the nonprofit Health Information Sharing and Analysis Center (H-ISAC).
Through the open source cybersecurity intelligence network, healthcare security teams can:
The goal of the ISAO is “to ensure that essential medical device or healthcare cybersecurity vulnerability information can be shared with all stakeholders within the HPH Sector, including those who are not members of H-ISAC and Sensato-ISAO,” according to a statement from the FDA.
“Organizations should not feel they have to go this journey alone,” says Mike Maksymow, CIO of BeebeHealthcare. “Learn from others, share what you know for the benefit of others.”
Maksymow, Gomez, Stoddard Mannikin(CISO of CHOA), and a few others felt so strongly about the lack of collaboration among cybersecurity professionals, especially in healthcare, that they formed the Medical Device Cybersecurity Task Force (MDCTF) in 2016 with a goal to move quickly and minimize bureaucracy to better address medical device cybersecurity.
“Members of the MDCTF all had the same focus: patient safety,” says Maksymow. “We knew a few years back we had the ingredients for an unprecedented perfect storm: at a time when identity theft is soaring, we have treasure troves of PHI data being stored in data centers stacked with legacy systems--each with a myriad of exploitable vulnerabilities and at a time when PHI data is worth much more than credit card information.”
Gomez notes that the MDCTFwas meant to be a stop-gap: “We wanted to provide tactical practices and approaches until more mature guidance and practices could be developed by the FDA and H-ISAC,” he says. “With time, the MDCTF grew from 20 organizations to 83, representing providers, manufacturers, government, consultancies, and others with a vested interest in safeguarding patient lives.”
The MDCTF developed a vendor assessment framework, a cybersecurity medical device policy, and other best practices and approaches. The FDA learned of MDCTF’s progress and assigned MITRE (the nonprofit that manages federally funded research and development centers supporting several U.S.government agencies) to the task force as its representative.
“We are so honored that MITRE approached us to consider evolving the MDCTF to an ISAO and formally partnering with the FDA and H-ISAC,” says Gomez. “More than ever before, medical devices are being targeted and we need to be nimble and proactive in how we protect them and the patients they serve.”
Still in the early stages, the new partnership with the FDA and H-ISAC is seeking ideas from members of the Sensato-ISAO as well as anyone in the healthcare cybersecurity sector.
Maksymow already has a few ideas of his own. “I would love to see this ISAO collaborate with manufacturers, providers, and even patient advocates to improve the safety of patients using medical devices,” says Maksymow. “On an even more grand scale, we should be looking toward what we can share with other industries and manufacturers to improve consumer safety.”
Other ideas Maksymow is bringing to the ISAO include a database of known device and system vulnerabilities and remediation recommendations, as well as a resource offering best practice suggestions and other recommendations.
“Cybersecurity is a daunting and monumental program for anyone, and even more so for an organization with no or limited IT security resources, let alone starting a cyber program around medical devices/systems,” says Maksymow. “This ISAO has already developed tools by which one can get started, and we hope this collaborative effort will result in even more.”