FDA Issues Medical Device Security GuideSecurity Steps for Manufacturers Are Voluntary, Not Mandatory
The Food and Drug Administration has issued final guidance calling for manufacturers to consider cybersecurity risks as part of the design and development of medical devices.
The guidance contains voluntary recommendations, and does not establish "legally enforceable responsibilities," the FDA notes.
"While these security guidelines don't carry the enforceable weight of a FDA regulation, these security guidelines are very important in conveying to manufacturers and medical device stakeholders the current state of evolving key best practices for medical device security," says Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety and Security Consortium. The group aims to help manufacturers and healthcare providers improve the cybersecurity of medical devices.
"It is very common for the FDA to use guidelines for the purpose of advancing best practices in a relatively expeditious manner."
The new final guidance - which follows similar draft guidance the FDA issued in June 2013 - is part of the agency's overall efforts to improve the cybersecurity of medical devices.
Last week, the FDA announced it plans to host a medical device cybersecurity workshop for healthcare sector stakeholders Oct. 21-22. The FDA also revealed work with the Department of Homeland Security's ICS CERT to enhance communication about cybersecurity issues affecting medical devices, and a partnership with the National Health Information Sharing and Analysis Center to bolster healthcare sector information sharing related to medical device cybersecurity. FDA and NH-ISAC are also collaborating to adapt the NIST Cybersecurity Framework for assessing and mitigating security risks involving medical devices (see Ramping Up Medical Device Cybersecurity).
Recommendations for Manufacturers
The new guidance, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff," recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. The guidance also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software.
"The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information," the guidance says.
The FDA says it developed the document "to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices."
The FDA suggests security measures that device manufacturers should consider for protection of medical devices. Those include:
- Limiting access to devices to trusted users through the use of authentication, such as ID and password, smart card and biometrics, including multi-layered authentication "where appropriate;"
- Ensuring secure data transfer to and from the device, using encryption where appropriate;
- Implementing features that allow for security compromises to be detected, recognized, logged, timed and acted upon;
- Providing information to end users concerning appropriate actions to take upon detection of a cybersecurity event.
The FDA also outlines key information that manufacturers should provide in their premarket submission for FDA product approval related to the cybersecurity of their medical device, including:
- Hazard analysis, mitigations and design considerations pertaining to cybersecurity risks associated with the device;
- A traceability matrix that links actual cybersecurity controls to the cybersecurity risks that were considered;
- A summary describing controls that are in place to assure that the medical device software will maintain its integrity - such as remain free of malware - from the point of origin to the point at which that device leaves the control of the manufacturer;
- Instructions for use of recommended cybersecurity controls, such as anti-virus software or firewalls, appropriate for the intended use environment;
- A summary of the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness.
"The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity," notes the guidance, in an apparent attempt to clarify frequent market confusion concerning whether manufacturers need to resubmit their devices to the FDA for re-approval when the manufacturers consider issuing patches and anti-malware updates to address new cyberthreats.
Step In Right Direction
Some security experts say the new guidance is a step in the right direction for bolstering medical device cybersecurity.
"It's a positive for healthcare sector overall that the FDA final guidance does not separate medical device manufacturers' considerations for patient safety and cybersecurity in their premarket submissions as distinct areas of risk," says Rick Comeau, vice president of security controls and automation at the Center for Internet Security. The not-for-profit organization runs the Multi-State Information Sharing and Analysis Center, or MS-ISAC. "FDA recognizes that a cyber compromise may actually cause harm to a patient if the cyber incident substantially reduces or even completely incapacitates a device's ability to function."
Comeau adds that the guidance "does not take a 'sky is falling' perspective but rather a reasonable and risk-based approach to its cybersecurity recommendations to device manufacturers."
Stephen Cobb, a senior security researcher at anti-malware provider ESET, says, "While long overdue, this move by the FDA is to be welcomed. Any efforts to focus attention on the security and privacy aspects of medical devices should be embraced, especially in light of the rapidly expanding adoption of consumer health devices and apps, mobile health, wearable technology and telemedicine."
But Lysa Myers, another security researcher at ESET, adds: "The guidance is a good start, but it would be preferable if it had some teeth," such as being an enforceable regulation as opposed to a voluntary guidance. "It would only take one security incident physically harming a person to really shake consumers' and healthcare providers' trust in a device," she says. "And that sort of incident could also affect the trust of even providers of unrelated medical devices. I'm not saying this will happen tomorrow, but with devices that are not intended to be replaced on a yearly basis, you need to be looking many years down the line."
Nordenberg, of the consortium, notes that guidelines, rather than regulations, "allow input while domains of expertise and understanding are evolving and allow industry to build capability and capacity. Regulations generally take longer to develop. They are more prescriptive which is not always needed or desirable."