FDA Issues Medical Device GuidanceAgency: Encrypt, Authenticate Devices
The Food & Drug Administration has issued new guidance on the radio frequency of wireless medical devices, including recommending authentication and encryption for reducing security risks and related patient safety threats.
The new guidance, Radio Frequency Wireless Technology in Medical Devices, issued on Aug. 13, includes proposals aimed primarily at device designers and manufacturers.
"Our recommendations cover devices that are implanted or worn on the body, and others intended for use in locations such as hospitals, homes, clinics and clinical laboratories," says the FDA guidance. "They cover such considerations that relate to the design, testing, deployment and maintenance of safe, reliable and secure wireless medical devices and systems."
The new FDA recommendations include the use of encryption and authentication to secure medical devices' wireless signals and data against hackers and others unauthorized users.
"Security of radio frequency wireless technology is a means to prevent unauthorized access to patient data or hospital networks and to ensure that information and data received by a device are intended for that device," the guidance says. "Authentication and wireless encryption play vital roles in an effective wireless security scheme."
'Very Important' Guidance
While the guidance is directed primarily at device manufacturers, the recommendations - if implemented - potentially have wide impact.
"Increasingly, the healthcare enterprise and associated devices are becoming wireless enabled and integrated. So, this type of guidance is very important," says Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety and Security Consortium, whose members include representatives from healthcare delivery systems, government agencies, and vendors.
"Authentication and encryption will help protect against hacking to prevent the possibility of access to the device and associated networks by unauthorized personnel to protect both patient safety and patient privacy," Nordenberg says. "In certain cases, taking control of a device could result in broader access to the enterprise's IT devices and assets."
The FDA document may help hospitals by providing guidance to manufacturers to install security capabilities and controls in the medical device, as well as by communicating to hospitals that it's important to enable and deploy security features once they are available on medical devices, Nordenberg says.
The FDA document notes that while most wireless technologies have encryption schemes available, encryption might need to be enabled and assessed for adequacy for the medical device's intended use. "The security measures should be well coordinated among the medical device components, accessories and system, and as needed, with a host wireless network," says the guidance.
While the FDA makes broad security recommendations, it shies away from being too specific.
"The guidance document is careful not to list specific techniques in most cases because the landscape is always evolving, and I believe that the FDA does not want to be prescriptive," says Shane Clark, a medical device researcher at the University of Massachusetts Amherst.
"Almost any encryption or authentication techniques are an improvement over sending sensitive data unprotected, but there are so many different medical devices out there and so many encryption/authentication options that I could not speculate about what is appropriate in any sort of general case," he says.
The FDA also notes: "Security management should also consider that certain wireless technologies incorporate sensing of like technologies and attempt to make automatic connections to quickly assemble and use a network," including "a discovery mode such as that available in Bluetooth communications."
For certain types of wireless medical devices, this kind of discovery mode could pose safety and effectiveness concerns, i.e. remote control of the medical device.
In fact, over the past couple of years, a handful of white hat hackers, including the late Barnaby Jack, have demonstrated how they gained remote control over medical devices such as insulin infusion pumps and heart defibrillators to potentially deliver dangerous doses of medication or shocks to patients.
FDA proposes that medical devices utilize wireless protection - such as wireless encryption, data access controls, secrecy of the 'keys' used to secure messages - at a level appropriate for the risks, environment, type and probability of the risks to which the device is exposed, and the probable risks to patients from a security breach."
Specifically, FDA recommends that the following factors be considered during the design and development of medical devices:
- Protection against unauthorized wireless access to device data and control. "This should include protocols that maintain the security of the communications while avoiding known shortcomings of existing older protocols, such as Wired Equivalent Privacy or WEP."
- Software protections for control of the wireless data transmission and protection against unauthorized access. "Use of the latest up-to-date wireless encryption is encouraged."
The release of the new radio frequency guidance follows other recent activities by FDA to bolster medical device security. Those include a draft guidance for medical device cybersecurity and a "safety communication" to manufacturers and healthcare organizations listing steps they should consider taking to mitigate cybersecurity risks to medical devices. Both were issued in June.