FDA Issues More Medical Device Security GuidanceLatest Recommendations Focus on Postmarket Cybersecurity Risks
New proposed cybersecurity guidance from the Food and Drug Administration is an important step in getting medical device manufacturers more focused on the risks posed by their products as they're used in healthcare settings, security experts say.
The draft guidance on postmarket cybersecurity, issued on Jan. 15, follows the FDA's release in October 2014 of a similar document urging medical device makers to address cybersecurity risks in the pre-market design of their products (see FDA Issues Medical Device Security Guide).
"Because cybersecurity risks to medical devices are continually evolving, it is not possible to completely mitigate risks through premarket controls alone," the FDA notes. "Therefore, it is essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with [FDA's] Quality System Regulation, including but not limited to complaint handling, quality audit, corrective and preventive action, software validation and risk analysis and servicing."
Some security experts say the new FDA guidance, for which compliance is voluntary, will play an important role in improving cybersecurity.
"When a medical device is released, the manufacturer's security obligations do not stop," says independent security researcher Billy Rios, who has previously alerted the FDA, Department of Homeland Security, and manufacturers about cyber flaws he identified in specific medical devices, potentially putting patient safety at risk (see FDA: Discontinue Use of Flawed Infusion Pumps) .
"I like that the document establishes what the FDA expects manufacturers to do to provide security support to devices after they have been released," he says.
Rios also praises the guidance for reminding manufacturers that they can issue most security patches without FDA approval. While the FDA has taken this position for quite some time, many manufacturers have continued to resist issuing passes by inappropriately citing the need for FDA product reapproval, he notes.
Although the FDA's post-market guidance is directed primarily at device manufacturers, it "provides a document healthcare delivery organizations can reference when they encounter this excuse in the future," he says.
The guidance highlights many steps that device manufacturers "should have been doing all along," Rios contends. "This will help those device manufacturers who are serious about security get buy-in from their executive leadership. For those that are not serious about cybersecurity, we will have to wait until they are compelled to act."
Kevin Fu, director of the Archimedes Center for Medical Device Security at the University of Michigan, says the new guidance helps to broaden the focus on cybersecurity during the lifecycle of medical devices.
"The draft postmarket guidance addresses expectations of gathering and sharing cybersecurity threats and vulnerabilities," he notes. "Unlike the premarket guidance that was primarily about security engineering, this document is about people and communication. This problem is challenging because of the unusual bedfellows: medical device manufacturers, healthcare providers and whitehat hackers."
While the guidance draws more attention to cybersecurity, it could use some refinement, Fu contends.
"One problem is that the terms 'networked devices' and 'connected' are not the right word choices," he says. "A network is not necessary for a cybersecurity exploit; malware gets in just fine by unhygienic USB drives carried by unsuspecting personnel. Social engineers still use telephones to trick personnel into enabling unauthorized remote access. The FDA will need to refocus on outcomes of compromise rather than the constantly evolving modality of delivery of exploits."
In its new guidance, the FDA notes: "In addition to the specific recommendations contained in this guidance, manufacturers are encouraged to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device."
A growing number of medical devices are designed to be networked to facilitate patient care, the FDA notes. "Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits."
The FDA says the draft guidance clarifies the agency's recommendations and emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices. "For the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered 'cybersecurity routine updates or patches,' for which the FDA does not require advance notification or reporting," the document notes.
"For a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the agency."
The recommendations in all FDA guidance, including the new draft guidance, are voluntary, the FDA spokeswoman notes. "Guidances, when finalized, represent the agency's thinking on certain topics, including on current regulation. While they do not establish legally enforceable responsibilities, the recommendations outlined in this draft guidance are consistent with the FDA's quality systems requirements for all medical device manufacturers. Any manufacturer not in compliance with FDA quality system regulations is in violation of the Federal Food, Drug and Cosmetics Act and the FDA can take appropriate action, as necessary."
The FDA will accept public comment on the draft guidance for 90 days after its publication in the Federal Register, which is expected this week. The agency also expects to discuss preliminary feedback during a medical device cybersecurity workshop that it's hosting Jan. 20 and 21.
The draft guidance recommends that manufacturers implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities. Critical components of such a program should include:
- Applying the 2014 National Institute of Standards and Technology voluntary Framework for Improving Critical Infrastructure Cybersecurity;
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understanding, assessing and detecting presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.