February 25, 2016
The Food and Drug Administration has begun a push for good-faith hacking in order to anticipate and address cyber security issues, particularly in the realm of medical devices, according to a senior official in the agency. It is also trying to create incentives for manufacturers to take cyber security more seriously.

“This has been very much a journey, very much an evolving process,” said Susanne Schwartz, Associate Director for Science and Strategic Partnerships at the FDA.

The main challenge is one of cultural disconnect between the medical device and hacker communities, agreed Schwartz and Mara Tam, Director of Government Affairs at HackerOne, a cyber security firm.

In order to bridge this divide, experts are changing the discourse surrounding hackers, referring to them instead as “security researchers.” These security researchers are no longer portrayed as agents of chaos, but rather key players who draw attention to potential vulnerabilities in medical devices.

Tam noted that for security researchers this push for increased cooperation has been one of the most constructive steps in terms of opening and normalizing relations with the wider world. It has also created an opportunity to contribute constructively to critical safety and security issues. “The hacker who shows up with a vulnerability for you is your friend,” Tam said while emphasizing the importance of security researchers as part of the solution.

Schwartz and Tam spoke as part of a panel hosted by the Atlantic Council’s Brent Scowcroft Center on International Security on February 24. Beau Woods, Deputy Director of the Council’s Cyber Statecraft Initiative, moderated the discussion.

Schwartz noted the difficulty in closing the disparity between the medical device community and the need for security research expertise. “How do we bridge that without the owners and operators feeling as if they are being attacked or told that their devices are no good?” she asked.

Security researchers, however, can learn from the safety disciplines about what truly matters. “What I have seen security researchers fail to do over and over again is really to prioritize and recognize a huge distinction between a security issue and a safety issue, the difference being one causes harm to someone and one is maybe merely an inconvenience,” said Woods. “Sometimes you favor a more vulnerable, older piece of software because its performance is better known than a newer, less vulnerable piece of software,” he added.

In addressing these cultural differences, Schwartz highlighted the importance of beginning a dialogue on the challenges of improving the cyber security posture of medical devices within healthcare. Similarly, Tam said both sides need to address and understand each other’s expectations and work processes. She noted that it is important during this dialogue to have a third-party mediator.

Schwartz acknowledged a gradual change in the culture of understanding and increased cooperation among some stakeholders. She emphasized that by virtue of example these partnerships are demonstrating that “it is not only possible, but it is in our best interest.”

A manufacturer’s ability to work in partnership with security researchers is going to set it apart from other manufacturers because it will receive pre-market and post-market cyber security advice, she added.

The FDA is not only pushing for more good-faith hacking and cooperation between the stakeholders, it is also seeking to create greater incentives for manufacturers to take cyber security more seriously.

Schwartz said the way to do this is through regulatory incentives, proposed in the draft guidance for the FDA’s post-market surveillance function of connected medical devices. This draft guidance reiterates that the FDA, by and large, does not need to receive new submissions to allow for updates and patches to medical device vulnerabilities. Therefore, if you have a medical device with a cyber bug in it, it doesn’t necessarily have to be recalled. Schwartz said the FDA wants manufacturers do the right thing by being proactive in monitoring and identifying vulnerabilities.

The FDA is accepting comments on the draft guidance until April 21.

Sarah Wildi is an intern at the Atlantic Council.