Archimedes Circular Podcast 0x01 Co Chairs of the AAMI Medical Device Security Working Group
Archimedes Circular Podcast 0x01 Co Chairs of the AAMI Medical Device Security Working Group
 |
| Not an official logo of the AAMI Medical Device Security Working Group, but it may become a T-shirt after members catch up. |
Ken Hoyme and Geoffrey Pascoe are co-chairs of the AAMI Medical Device Security Working group. AAMI is the Association for the Advancement of Medical Instrumentation. Founded in 1967, AAMI is a non-profit organization of 7,000 professionals for the development, management, and use of safe and effective healthcare technology. AAMI consists of over 100 technical committees and working groups that produce Standards, Recommended Practices, and Technical Information Reports for medical devices. The medical device security co-chairs are interviewed by Kevin Fu, a professor at the University of Michigan and the Archimedes Center for Medical Device Security.
For several years, the AAMI Medical Device Security Working group has been toiling away tirelessly on the Technical Information Report #57 (Principles for medical device information security risk management). Its members fondly call it TIR 57. The document provides advice to front-line medical device engineers on how to begin integrating security engineering into the design and implementation of medical devices. The TIR 57 is based on the input and consensus vote of medical device manufacturers, health delivery organizations, security engineering experts, and faculty.
Kevin: Welcome to the Inaugural Archimedes Broadcast. My name is Kevin Fu. I direct the Archimedes Center for Medical Device Security. Today, we�re going to talk about consensus standards and guidance documents for manufacturers to meet FDA expectations on medical device security. Today, I am interviewing Ken Hoyme and Geoff Pascoe, the co-chairs of the Medical Device Security Working Group of AAMI, which is considered the most respected standards body in the medical devices arena. I am also joined by Wil Vargas who is the director of standards at AAMI, so welcome, Ken, Geoff and Wil.
Wil: Thank you.
Ken: Thank you. Thank you for having us.
Geoff: Thanks.
Kevin: Let me begin with just a little background here because not everybody is familiar with AAMI. AAMI is the Association for the Advancement of Medical Instrumentation. When talking with my information security colleagues I often liken AAMI to the IETF of the medical device manufacturing world. AAMI is this nonprofit organization that supports the healthcare community, has over 7000 professional members represented and they�re really the primary source of consensus standards for the medical device industry.
Before we get into what AAMI is doing in the medical device space, I was hoping Wil, maybe you could just tell us a little bit about AAMI and in a jargon-free world to introduce some of our technical folks who may not be familiar with medical devices what exactly AAMI does.
Wil: Sure. AAMI stands for the Association for the Advancement of Medical Instrumentation. They have been around for almost I think 50 years now. Its focus has been on issues relating to patient safety with medical devices. The efforts really started around creating voluntary standards and guidance documents to help address and facilitate those issues to improve patient safety for medical devices across a wide spectrum of device safety issues from sterilization all the way through elements of software and security.
AAMI�s products and services have developed and grown over time really with that core focus in mind. We have conferences and courses and events, all related to communicating the issues related to patient safety. The standards program is really where the rubber hits the road bringing the experts together, from industry manufacturers and even the end users which are the doctors as well as the biomeds, the biotech, and getting them around the table to address and create those voluntary standards. That�s part of the core of what AAMI does even 50 years later.
Kevin: My understanding is that AAMI is this independent body that is not an advocacy group but is more a builder of consensus. Maybe you could help us understand how that affects or what makes AAMI special.
Wil: You�re right. AAMI doesn�t really get involved and doesn�t really play a role in advocacy or lobbying. It�s a nonprofit organization that relies on the consensus process which is basically where you get folks to agree enough on a topic that we can move on, not that everyone completely 100% solidly is behind or believes 100% that they would do it that way if it were up to them. Consensus is one of those weird squishy things but it works and it works really well in order to create these voluntary standards, but it also takes on or takes in a lot of feedback within the consensus building process.
It�s not a one and done type of operation when you�re developing a standard. It�s a very iterative sequential process where the issues and elements are discussed at great length over a very long period of time, at least a minimum of a year, it can be as long as five years in order to achieve that level of consensus required to achieve and get the document approved.
Geoff: This is Geoff, I think one of the really useful things about this consensus process is that especially in the medical device industry where we�re heavily regulated it really provides a mechanism for the FDA to collaborate with industry in an open structure that doesn�t favor any particular manufacturer. They have to be very careful about how they communicate their intent to manufacturers. The AAMI rules at being a standards organization really creates a forum where it�s not just the product but the product actually creates these mechanisms for communication in such a way that it actually meets both the needs of the regulators as well as also the needs of the manufactures, and also, in some case the providers.
Kevin: This is a good segue to Geoff and Ken on your specific duties on the AMMI Working Group on medical device security. Everybody who is listening to this is aware that medical device security is a problem and one of the problems is where do you point a manufacturer to improve the medical device security posture? Ken or Geoff, I am hoping you can give me just a brief introduction to what is the AAMI working group on medical device security. What is it doing?
Ken: Sure. This is Ken. We were formed about three years ago I think really in response to when the general accounting office (GAO) issued their report encouraging the FDA to improve their pre-market expectations of cyber security and medical devices and their post market surveillance. Again, as Geoff mentioned there is this collaboration between AAMI and the FDA. I think AAMI saw the opportunity there to help drive some consensus standards and discussions between industry and regulator to help evolve the thinking on that and provide some clear guidance on industry to meet the expectations of the FDA.
The committee was formed in the typical AAMI process where all the various member organizations are informed of new committees that are emerging and other kinds of communication vehicles. I think our first meeting was in May of 2013. I think we had about 40 people at that first meeting and have cut across FDA participated medical device manufacturers, security researchers, hospitals, the veteran�s administration had cyber security involved in it. There is clearly a lot of interest and energy working on improving cyber security in these devices.
Kevin: Right, so you have a pretty broad group contributing then. These guidance documents take quite a while to produce because the thing about democracy and consensus building is it takes time. I understand that AAMI is still in the middle of this, but what should we be expecting down the road? To a medical device manufacturer who is looking at the FDA pre-market guidance and the draft post market guidance on cyber security, what elements of this guidance document is going to be most valued or what do you think they are going to be looking for?
Geoff: Kevin, when you say �guidance document� you�re referring to AAMI in this particular case, because we refer to these things that are nonstandard as technical reports.
Kevin: My apologies. I am not speaking the lingo. Yes, the TIR. Tell us a little bit about the TIR 57 and how it relates to manufacturer needs to meet FDA expectations with both the pre-market and the post market guidance. Basically, what can they expect?
Ken: The first technical report that the committee decided to tackle we evaluated probably a dozen different directions that we could go, looked at what that other organizations were already producing out there. Our initial choice was to try to address. What ended up shortly after we focused on this, directly tied to the original guidance for pre-market notification, pre-market analysis. What we decided as a committee is since medical device manufacturers are very familiar with safety risk management as part of their quality systems and there is an international standards, standard 14971 that address the risk management process associated with patient harm and patient hazards. Most of our organizations understand the need to do this and have systems in place to assist in that.
What we decided to do was to essentially frame security risk management in the context of the procedures that are defined in that 14971 document and essentially teach device manufacturers that might not have a security background how to reason about security risk management during the development of their process. That ended being up very closely aligned to how the original guidance for the pre-market information addresses manufactures to basically look at acceptability of risk and mitigate those risks that are unacceptable.
Geoff: Right. I was going to say I think one of the things about this familiarity with the medical device manufacturer familiarity with safety risk management, it�s a double edged sword. They understand the concept of risk management but I think they don�t really fully appreciate the significant differences between security risk management, safety risk management. The fact that there are similarities, there are linkages that need to occur but as a result there are significant differences.
We wouldn�t want to see manufacturers saying well we do safety risk management according to 14971 and we put some security stuff in there and we�re set. I think one of the things about this that is a strength of this technical report is that it makes clear what those similarities are, what those differences are and how the two interact.
Kevin: For the folks who are less familiar with AAMI and even FDA guidance documents, could you try to tease out for me what is the difference between an AAMI Technical Information report (TIR) and an FDA guidance document or even a company whitepaper? How is this going to be different?
Ken: I think a guidance document by the FDA is recommended approaches that manufacturers should consider. They aren�t bound to it as opposed to a standard or something that�s recognized as a shell document. The FDA has flexibility in how they understand and interpret it, but it is reasonably understood by device manufacturers that when the FDA produces a guidance document that that creates an expectation for what they should do and if they ask for device approval without following the information or anything with respect to those documents, that they would expect to have a slow process with lots of questions back from the FDA during the approval.
Geoff: Yeah. I think that�s the key, is that technically guidance from the FDA is not enforceable. On the other hand, if you don�t follow the guidance, you create additional barriers either during approval process for regulatory submissions or even in the case of an FDA inspection. Now FDA inspectors are familiar with the guides, so if you show documentation that supports an approach that is commensurate with the guidance, they know how to follow that. If you do it in a completely different way, then it leads to additional questions and makes inspections and regulatory submissions a lot more complicated. I think as a practical matter, most manufactures try to follow the guidance whenever they can.
Kevin: Right, and to the effect that I am beginning to see whitepapers being circulated about recommended ways to improve medical device security, where do you think AAMI is going to distinguish itself with its TIR compared to what we�re seeing coming out of individual companies and other sources of information for general advice?
Geoff: I think one of the strengths of AAMI is number one their intimate familiarity with medical device fields and particularly an emphasis on safety. I think that that is one of the things that distinguishes medical device security and some other types of security, some that are similar to this, perhaps in the transportation field would be one example or even ITS systems. It�s really safety and it�s the linkages between safety and security that I think really is a place where AAMI can make significant contributions as opposed to the traditional protection of confidentiality of information.
Ken: I agree with Geoff. That�s a key distinction. Nature abhors a vacuum. As soon as a lot of press was hit with regard to medical device security, there are a lot of organization that wanted to pile in and help. I think many of those organizations because they don�t have that intimate connection with the safety and effectiveness that regulators expect for medical devices will come at it more from a confidentiality encryption point of view. Everyone is very familiar with the various financial penalties that hospitals and health systems and insurance companies have been hit because of breech of information but medical devices are cyber-physical systems. They touch patients. They measure things off of people. They are delivering therapy to people.
In that regard, the issues of integrity and availability can sometimes take precedence over confidentiality concerns particularly if you are dealing with devices that are deployed in an emergency room or in a surgery theater. Having that understanding of being able to balance and trade off the safety aspects of things and security aspects of things is I think a unique position that AAMI has because of that connection to the regulators and the health delivery organizations.
Geoff: Sometimes you�ll actually see or hear people talk about the inverting of the CIA triangle. Normally, this is demonstrated with confidentiality at the top, integrity and availability at the bottom of vertices of the triangle but really from a safety standpoint it�s really the integrity and availability are more important. Sometimes you�ll see the triangle upside down. Not that confidentiality isn�t important, but integrity and availability takes a driver�s seat and shotgun.
Kevin: I have a couple of more technical questions for you. We�ll see how many we can get through in our time today, but I am curious, because the hospitals are involved in attending these working group meetings, to a medical device manufacturer who uses the TIR 57, is that going to help them to better understand what kind of procurement questions they are going to be asked in the coming future by hospitals and other healthcare providers? What is the interface here that is going to help the manufacturer to meet not only expectations of the regulator but also expectations of the purchaser?
Ken: I think the primary vehicle that has been used by purchasers has been the MDS2 form, which is a medical disclosure statement for a medical device security. It�s actually MDS squared. That form is a means for a device manufacturer to articulate the different security properties that are available in their device which would inform both the purchaser as well as any people in the hospital that are going to deploy a device into the hospital network, want they should expect.
While TIR 57 doesn�t directly address a MDS2 form requirements, we do reference it. I would expect that a manufacturer that would use the expectation of that form as they do their security risk management during product design would have the information necessary to disclose on that form automatically by going through the process. That is as opposed to a manufacturer that doesn�t think about security and then is asked at the point when they are marketing the device, �Could you fill this form out?� and they really haven�t thought through the questions when they developed the device then they certainly are going to be in a weaker position.
Geoff: I would also add that there is another actual standard that plays into this communication between manufacturers and providers, and that is IEC 80001 which is also worked on by a group at AAMI which is the application of risk management for IT networks incorporating medical devices. Now, their risk management incorporates security but it also considers other types of safety risk. In one of the parts of 80001, they have actually aligned with the MDS2 categorization of the types of things to be considered in security. There is an alignment there.
As Ken has pointed out, we do reference the MDS2. There is some good guidance in some of the annexes of the technical report but I think you�ll see actually much more
download
alternative link download
alternative link download
