Conversations with the FDA’s Suzanne Schwartz and Kevin Fu: Part 1
In part one of this two-part special episode, Mike welcomes Suzanne Schwartz, Director of the Office of Strategic Partnerships and Technology Innovation (OST) at FDA’s Center for Devices & Radiological Health (CDRH) and Kevin Fu, Acting Director of Medical Device Cybersecurity at FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity. Join us as they talk about the FDA’s journey to designing cybersecurity standards for medical devices including establishing pre and post-market policy, threat modeling and SBOMs (Software Bill of Materials).
In today’s episode of In Scope, host Mike Murray interviews two luminaries from the medical device security world, Suzanne Schwartz and Kevin Fu of the FDA. Suzanne is the Director of the Office of Strategic Partnership and Technology Innovation at FDA’s Center For Devices and Radiological Health. Her work involves medical device cybersecurity, an effort which she has had the privilege of growing from seedling since 2013. Also at FDA’s Center For Devices and Radiological Health, Kevin is the Acting Director for Medical Device Cybersecurity. He is on loan for this calendar year from the University of Michigan, where he has taught cybersecurity and engineering for 20 years.
FDA’s efforts in cybersecurity only really took off in 2013. Preceding Suzanne, there was some early foundational work done in cybersecurity. She explains that they realized the crucial nature of cybersecurity among medical devices when a large cache of vulnerabilities had been identified by security researchers. It was a new and foregin concept at the time, but they knew it was an area which required attention. The first few years of undertaking involved building relationships with government and researchers and bringing the ecosystem to the table together. While some of the issues still remain unsolved, Suzanne stresses that they are no longer being ignored. Eventually, they were able to determine their own expectations for medical device manufacturers in terms of building security into the design. While efforts made in previous years were effective then, we are in such a dynamic and evolving universe now which evokes higher expectations.
Then, Kevin discusses the current focuses of his department. What is going on now, he says, is much more constructive in terms of positive approaches to security design in order to build security in. There is more acceptance now that this is a problem which requires shared responsibility. Within FDA, there is activity around threat modeling, which he considers fundamental for good security. Other programs include the joint security plan and software bill of material advancements, also known as SBOM.
FDA sees the importance of transparency across all different domains. When risks are identified in medical device performance, there is a requirement for manufacturers to communicate this to the public. The SBOM is a bill of materials available to manufacturers which describes components in a product. It is a method of risk mitigation and protection against potential attacks. They recently included the element of CBOm, which they defined as inclusive of both software and hardware. Manufacturers have come around a lot to the importance of SBOM. They are working now towards determining what the execution of actionable information can look like.
It’s extremely difficult to make claims about software or security without an ingredient list that is in the device. SBOM allows HDOs to detect where patches may be needed. Over the past year, the FDA has been faced predominantly with different trends of vulnerabilities. Without the knowledge of what is in the software, it’s very difficult to track them down. SBOM makes this recognition easier for everyone involved.
Thank you for joining us today for part one of this two-part special episode. Stay tuned for part two and subscribe wherever you listen to podcasts!
– Mike introduces the episode and his guest.
– Suzanne and Kevin introduce themselves and their work.
– The evolution of cybersecurity at FDA.
– Cybersecurity 2013 vs. today.
– Kevin discusses current focuses.
– Why has SBOM become so controversial?
– The importance of SBOM for security.
0:00:02.7 Speaker 1: Welcome to In Scope The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:22.4 Mike Murray: And welcome back to In Scope The Healthcare Security Podcast. I’ve been waiting for this episode for a long time, and I can’t tell you how excited I am. I know I say I’m excited for many of our guests, but when you get to talk to two of the luminaries around medical device security, it’s a pretty exciting day. So today we have with us Suzanne Schwartz and Kevin Fu of the FDA, and we’re gonna get deep into all things medical devices and regulations and regulatory and all of those things. But for those who don’t know, maybe I’ll let Kevin and Suzanne introduce themselves. Suzanne, do you wanna go first and tell everybody who you are?
0:00:57.3 Suzanne Schwartz: Sure. And first off, you’re making me blush, Mike. I don’t consider myself a luminary. I am Suzanne Schwartz, the Director of the Office of Strategic Partnerships and Technology Innovation at FDA’s Center for Devices and Radiological Health, it’s quite a mouthful. Let’s just make it simple by stating that the work that is undertaken for medical device cybersecurity falls within my office’s portfolio and I’ve had the privilege and the pleasure of really growing this effort from a seedling back in 2013 to where we are at present. And I will let Kevin introduce himself, as well, right now because he’s the latest asset that we have been able to bring on board to help us in our journey.
0:01:47.9 Kevin Fu: Thanks Suzanne, and only a luminary would deny being a luminary, by the way, but… [chuckle] Thank you. So I’m Kevin Fu. I work in Suzanne’s shop. I am the Acting Director for Medical Device Cybersecurity in the Center for Devices and Radiological Health at FDA. I am on loan from the University of Michigan where I’m an engineering professor, where I’ve been teaching cybersecurity engineering for about 20 years, starting about my time at MIT. It’s a real pleasure to have this stay at FDA for the calendar year.
0:02:18.8 MM: I don’t think everybody knows, and I certainly didn’t know before, Suzanne, you and I met, that the FDA really didn’t get engaged in designing cybersecurity standards for medical devices until 2013, that that was really kinda when the effort started and with the pre-market guidance that came out and the post-market guidance. And I don’t know whoever amongst the two of you, but maybe Suzanne, you wanna talk a little bit about the journey that got us here? You’ve done a lot in the last seven years in terms of all of the impacts that we’ve had on the industry, do you wanna kinda give the highlights?
0:02:51.3 SS: Oh, sure, thank you. I will say that I do stand on the shoulders of giants that preceded me. There was some early foundational work that was done in the 2005 and 2009 time frame in terms of FDA’s release of some early guidances. It didn’t specifically call out cybersecurity, but a lot of that work done by two people that are worth mentioning here. One who is still in our shop, Brian Fitzgerald, and another, John Murray, who really were, in many regards, founding fathers that I leaned on quite heavily in 2013 and going forward, as we in earnest began to build out, program around cybersecurity. And as happens in many cases, an organization may recognize the criticality of undertaking a new programmatic effort when faced with a crisis, when faced with needing to put out a fire, if you will.
0:03:57.4 SS: And that was how we were sort of introduced to cybersecurity of medical devices back in the spring of 2013 as a result of my being informed by a sister agency outside of our department, DHS, around a huge number, a huge cache of vulnerabilities that had been identified by several security researchers. And they were presenting them to us, and, What’s FDA going to do with this information? Having had no exposure at all to, What is a vulnerability within a medical device from a cybersecurity perspective? What is coordinated disclosure? Who is DHS? How do they work with security researchers or white hat hackers? And we learned, kind of trial by fire, as they say, in really undertaking efforts that were initially reactive, initially incident response. But that was enough of a wake-up call to the center and to the agency that we need to be putting the building blocks in place.
0:05:13.0 SS: Not merely around incident response and being reactive, but rather, How do we move to this more forward-leaning stance? What policies do we have in place? What policies do we need to put in place? What partnerships need to be cultivated? Who is the ecosystem or who makes up the ecosystem here? So those first few years in that journey were really about undertaking a multi-pronged approach, developing the partnerships across government, as well as with the private sector, as well as with a really important group being the security researchers who were providing such important education and enlightenment to us in the work that they were doing in the medical device realm that we otherwise really had very, very little visibility to. And bringing the ecosystem to the table together to try to resolve a lot of areas of great conflict, some of which I’m gonna say are still unresolved, but clearly not being ignored and being worked on together, and the together part is a really key piece of it.
0:06:27.8 SS: So over the years, to kind of fast-forward, our work really involved developing these types of outreach and engagement, learning from others, sharing with others our learnings, and, “How does the FDA operate? What is a regulatory regime? What does the oversight of medical devices look like from a government perspective?” and therefore, “What are the pain points and the constraints that industry has to be aware of and has to be operating under?” That enabled us, all of that, to undertake both work on defining and articulating pre-market policy, in other words what our expectations are of medical device manufacturers as they design and develop new medical devices in terms of building security into that design and what FDA was seeking to see in those submissions as indicative of that.
0:07:30.5 SS: And then beyond that, because all of these learnings were kinda happening concurrently, we were dealing with a lot of researchers approaching us directly around vulnerabilities that they were identifying on the post-market side, in other words, for devices that are in use, that are in distribution, and recognizing that there was a lot of work to be done on post-market management of medical device vulnerabilities, “How do we create kind of a loop here in terms of learnings from the post-market side that can then further inform more secure and rigor and greater security built in at the front end?” And so it’s been this journey of pre-market, of post-market, of coordinated disclosure of vulnerabilities, of indicating through, really bringing everyone together what makes for a more mature ecosystem.
0:08:35.5 SS: We still have a ways to go, but we started off very, very immature, the ecosystem as a whole. And there’s been a good amount of learnings as we’ve gone down this path. I could probably talk for hours on this, Mike. I don’t want to, I really… [chuckle] I don’t wanna hijack the entire discussion, there is so much we could be talking about. But at a high level, that’s where we are right now, pre-market guidance, post-market guidance. We’re right now iterating on the pre-market guidance, because what we did back in 2013, 2014 was good for then, but we’re in a very dynamic and evolving universe here, and we have higher expectations, and we’re raising the bar with respect to what we wanna see from industry now in 2021. And so this is a continuous improvement process and one that really requires everybody to play a part in.
0:09:34.2 MM: And I don’t know that every listener really understands the level of the journey that you’re talking about. When I got… When I went to GE Healthcare in 2013, when I got there, it was regular practice to hard code the root passwords to all of our machines and then print those passwords in the manuals. And very quickly with the pre-market guidance in 2014 and the post-market guidance in 2016, you all raised the game, and the manufacturers came along. And I’m gonna throw it to Kevin here, ’cause he’s… As you said, he’s the new member of the team. But, Kevin, what’s current state on the journey? What are you all working on today? What’s in the brain? We’ll come back to the new pre-market draft, but what else is going on?
0:10:13.4 KF: Yeah. Well, I think just to dovetail off sort of the little bit of history there, I think that it’d be helpful to contextualize what’s going on now. I would say what’s going on now is much more constructive on the equivalent to positive control, what are positive approaches to security design to really build security in. And for context, 15 years ago when we were having some early discussions on medical device security with manufacturers and regulators and trade associations, it was a very different world. In fact, I was once told never to say the word, “attack”, it was considered verboten, in some discussions couldn’t even happen in an open meeting room, and it was a very sensitive area. And today I would say it’s very different. I’d say there’s a lot more acceptance that this is a problem, not just for the shared responsibility, but it’s a problem that we all want to solve.
0:11:08.1 KF: And the challenge has become not whether it’s a problem but how to solve these problems. And so today we’re seeing… At least within FDA, there’s quite a bit of activity on things such as threat modeling. Threat modeling is what I consider the fundamental… Almost the fundamental mathematics of how do you even begin to have good security posture. Without a threat model, you really can’t even begin. And then a number of other programs such as the Joint Security Plan, which is about how to build security engineering into the total product development life cycle of a medical device from the very beginning of design to the retirement from the market. We also have advances going on today on the topic of software bill of materials, SBOMs, these are effectively ingredient lists of third-party software for many different use cases to improve security, not just knowing what’s the risk, but then even in post-market being able to better ascertain when there’s a computer security vulnerability whether the medical device is affected in a clinically relevant way. But there are a number of ongoing activities. But those are a few of, I think, some of the ones I would highlight.
0:12:20.1 MM: So I don’t know which of you wants to jump in, feel free. But why has SBOM become so controversial? What is the controversy here? And why is this… It seems like since SBOM was included in the executive order, now it’s a topic of debate again. And I actually thought it was a solved problem, but maybe you all wanna throw in.
0:12:38.5 SS: Yeah, scratching my head a little bit here in terms of what the conflict is about, why so much debate around SBOM. We see the importance of transparency across all different domains of effort that medical device manufacturers need to undertake when it comes to medical devices. That’s kind of why we have labeling for different medical products. That’s why when there are risks identified or hazards identified with respect to medical device performance, its safe performance, that there is an expectation, not only an expectation, there’s a requirement around what manufacturers need to do as far as communicating and being transparent to their customers and to the public about what those risks are and how best to mitigate them. To us, this is an extension of that level of transparency, of having that bill of materials available to the device manufactures, to their customers, so that when incidents occur…
0:13:49.4 SS: Let’s take WannaCry as an example, which presented extraordinary difficulties, extraordinary challenges for healthcare delivery organizations throughout the United States who had no clue as to where they should be looking across their networks, within devices that reside on their networks, as to whether any of those devices have the vulnerability that needs to be protected against. And so we see this as an important part of, A, risk mitigation and being able to best protect against the potential for an exploit to occur or an attack to occur that could otherwise knock devices out of their being available for clinical use. I think that a lot of, at least the discussions that I’ve heard around manufacturers, and this kind of goes back to the workshop that we had in the Winter of 2019, where in our pre-market guidance that we issued, which was a new draft in late 2018, we actually included something that we called CBOM, Cybersecurity Bill of Materials, which we defined as inclusive of not just software, but hardware as well.
0:15:16.3 SS: And of course, as is the case with all draft guidances that FDA puts out, there’s always a public comment period, there’s a docket that’s established. We do wanna hear feedback, we want to understand exactly what the difficulties might be with executing or implementing what we put out as guidance recommendations. And there was a lot of discussion we had, at least one or two like full sessions, that was a discussion related to CBOM. Based upon a lot of what we learned, it was clear that we really have to take an approach of crawl, walk, run here. CBOM, while might be aspirational, let’s just start with some very basics upon which we can build, which would be the concept of a software bill of materials. Because that’s also gonna be the majority in terms of an 80/20 solution, that’s gonna be the majority of the concerns that really need to be addressed. And from the medical device manufacturer’s perspective, they’ve come around a lot to the importance of SBOM. I think what we hear within, again, our specific stakeholder ecosystem is more around, What does implementation of it look like? How many layers deep are you going?
0:16:36.5 SS: So it isn’t so much negativity around the concept of an SBOM, I think everyone has rallied around that. It’s also included in our International Medical Device Regulators Forum, IMDRF guidance, that we co-chair an effort there. We put out a guidance in 2020, the SBOM is called out there, as well, and that includes global industry and global regulators. And we are working now on the next generation of that, the next work item, which is, What does implementation look like? So more discussion about the devil in the details as to how you’re gonna execute on this. What is it that is meaningful information to the consumer and the user of the device, and what is information that is not gonna be actionable information? That’s the perspective that I have, but I certainly wanna hear, Kevin, what your thoughts are here.
0:17:37.1 KF: Right. Well, I was introduced to SBOM probably through a different channel since I wasn’t in a regulatory agency at the time, I was working in Michigan as a professor and running the Archimedes Center for Medical Device Security. And what I found interesting about SBOM, is I first heard about it through a manufacturer, a large manufacturer who was pitching it as, “We just have to do it, it’s a no-brainer.” If you don’t have an ingredient list of what’s on the inside of third-party software, it’s just extremely difficult to make any kind of calculations or claims about the assurance in this software security. And along the lines of this walk, crawl, run, one of the… Excuse me, crawl, walk, run, one of the crawling parts would be basic elements such as, well, What version of your basic operating system are you running? Although that’s not what I would consider sort of a complete SBOM, even having that alone is already helpful to know. Because if you don’t know what version’s on the inside, it’ll be difficult for you to know how well is it even patched.
0:18:40.1 MM: In the early days of SBOM, the consternation for some medical device manufacturers was that by publishing all of that information and by being that transparent, the number of patches they would have to figure out how to issue would go skyrocketing up as soon as all of their customers could hold them accountable. And I think that’s actually why I think SBOM is so important is because I talk to folks at hospitals all the time, and we talk about certain devices and they say, “We’ve applied all the manufacturer’s patches.” And it’s Windows 7 with an early service pack and it’s vulnerable to any number of remote exploits, but the manufacturer hasn’t provided those patches. And I think that that’s where SBOM, it allows the HDOs to figure out how to detect those things. That’s why I say I think it’s a solved problem, but I don’t know what you all are thinking and seeing, but I’m guessing it’s something similar.
0:19:29.8 KF: Oh, that’s one of the major use cases of an SBOM to help the HDOs understand risk, and of course, there are others, such as in the pre-market, just understanding the portfolio of risk that’s being inherited and understanding what controls are in place for those risks.
0:19:45.8 SS: The other thing I would add to that is we’ve been faced over the past year, predominantly with… Almost like a different trend, different types of vulnerabilities than we had been faced with in the earlier years of 2014 through 2018-19. And what I mean by that is a lot of the third-party vulnerabilities that are ubiquitous as far as the devices that they are in. And when I say devices here, I’m talking about not only medical devices, but consumer devices, everything, kind of the entire universe of devices. So without having an understanding of whether certain software is within medical devices writ large, it’s very difficult for us even at the agency to try to figure out or SEG a vulnerability or SET a vulnerability, urgent 11 was a good example of that of… Well, how exposed is the medical device or healthcare sector right now, we don’t even know where this is, and many of the manufacturers wouldn’t necessarily be able to have at their fingertips that information without… Again, having an SBOM available to them. So it’s going to make life a lot easier for all of us with regard to once vulnerabilities are identified, how to actually recognize, where are they. And then understanding where they are isn’t where… The buck doesn’t stop there, it’s then figuring out what kind of impact do they possibly present.
0:21:34.8 SS: Mike, I think you know from having been involved and seeing our post-market guidance, we do make a very clear distinction between something that we call controlled versus uncontrolled vulnerabilities in a lay person’s terms, what would we consider vulnerabilities that are unacceptable because of the risk to patient health that’s unmitigated, and those are gonna require obviously a different level of urgency, attention and mitigation of that risk or remediation of the issue versus what is assessed to be controlled. And so again, the process doesn’t end simply with determining, does my device have this vulnerability or not, but beyond that, we wanna understand the exploit-ability of the vulnerability as well as what it’s severity of impact goes. So there’s a fair amount of work that has to happen here. And what we have been trying to drive for is accelerating that process, so it’s not as lengthy a process as occurs in other situations where a hazard may be identified, why? Because we know that vulnerabilities on a cybersecurity… From a cyber security perspective, if they are exploited, things can happen very, very, very rapidly. And we are really looking to try to reduce the risk of that occurring.
0:23:02.2 Speaker 5: Thank you for joining us today for part one of this two-part special episode of conversations with the FDA’s Suzanne Schwartz and Kevin Fu. I’m Phil, producer of In Scope The Healthcare Security Podcast. Please stay tuned for part two and make sure you never miss great conversations like these by subscribing to this podcast wherever you get your podcasts. We appreciate your continued support.
0:23:27.9 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUESTS
Suzanne B. Schwartz, MD, MBA is the Director of the Office of Strategic Partnerships and Technology Innovation (OST) at FDA’s Center for Devices & Radiological Health (CDRH).
Suzanne’s work in medical device cybersecurity includes raising awareness, educating, outreach, partnering, and coalition-building within the Healthcare and Public Health Sector (HPH) as well as fostering collaborations across other government agencies and the private sector. Suzanne has been recognized for Excellence in Innovation at FDA’s Women’s History Month for her work in Medical Device Cybersecurity. Most recently, she received the 2021 Routhy Award from the H-ISAC for her leadership in cybersecurity in healthcare, especially during the COVID-19 pandemic.
Together with Health Canada, Suzanne has represented FDA in co-chairing the International Medical Device Regulators Forum (IMDRF) Work Group on Medical Device Cybersecurity leading to its first international guidance publication in March 2020. She chairs CDRH’s Cybersecurity Working Group, tasked with formulating FDA’s medical device cybersecurity policy and has additionally served as co-chair of the Government Coordinating Council (GCC) for the HPH Critical Infrastructure Sector, focusing on the sector’s healthcare cybersecurity initiatives.
Kevin Fu is Associate Professor of EECS at the University of Michigan where he directs the Security and Privacy Research Group (SPQR.eecs.umich.edu). During 2021, Fu is also Acting Director of Medical Device Cybersecurity at FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity, Digital Health Center of Excellence (DHCoE). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.