FDA Drafts Medical Device Security GuideRisk Mitigation Tips for Healthcare Providers Also Offered
The guidance recommends device manufacturers document their risk analysis of cybersecurity threats and vulnerabilities as well as ways to mitigate those risks, such as through encryption.
While the draft guidance includes only recommendations, and not mandates, for manufacturers, it also is intended to guide FDA staff members who review products for approval, says Bakul Patel, senior policy adviser to the director of the Center for Devices and Radiological Health at the FDA. The guidance, when finalized, would establish "FDA staff expectations" for what to consider when reviewing devices, he explains.
In addition to the guidance, the FDA also issued a "safety communication" to manufacturers and healthcare organizations listing steps they should consider taking to mitigate cybersecurity risks to medical devices. For healthcare providers, those steps include making sure their anti-viral software and firewalls are updated, ensuring that access to networked devices is restricted and making sure that medical device makers are contacted about any cybersecurity issues.
"We are looking at how to raise awareness of these medical device cybersecurity issues," Patel says. "These are multi-stakeholder issues, and everyone needs to do their part."
Mark Olson, CISO at Beth Israel Deaconess Medical Center in Boston, calls the FDA announcements "a very positive step." He says the FDA "is placing a requirement on the manufacturers to acknowledge that they need to be part of the solution in protecting their equipment at the customers' location. It is a well-balanced approach, placing joint responsibility on the vendor and the user of the products. For security practitioners, the model of joint responsibility is ideal."
FDA released the document on the Federal Register inspection desk on June 13. The agency will accept comments for 90 days after the guidance is officially published in the Federal Register. After that, the FDA will review the comments and then issue a final guidance, Patel explains. That final guidance will take into account, for example, feedback on such issues as when manufacturers should implement the cybersecurity controls in the design of their products prior to FDA approval.
The issuance of the seven-page guidance addresses growing FDA concerns about cybersecurity risks to medical devices. That's especially in light of "increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information," the guidance notes.
"Manufacturers should develop a set of security controls to assure medical device cybersecurity to maintain information confidentiality, integrity and availability," the FDA states.
"This draft guidance, when finalized, will represent the FDA's current thinking on this topic," the document states. "You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulation."
The recommendations are "to assist industry by identifying issues related to cybersecurity that manufacturers should consider in preparing premarket submissions for [FDA approval of] medical devices," the draft guidance notes.
FDA defines cybersecurity "as the process of preventing unauthorized modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient."
Failure to maintain cybersecurity "can result in compromised device functionality, loss of data availability or integrity, or exposure of other connected devices or networks to security threats. These, in turn, have the potential to result in patient illness, injury, or death," the draft guidance notes.
"Manufacturers should consider cybersecurity during the design phase of the medical device, as this can result in more robust and efficient mitigation of cybersecurity risks," the FDA states.
The guidance says manufacturers "should define and document" components of their cybersecurity risk analysis and management plan. Those assessment components include threats and vulnerabilities, their impact on device functionality, likelihood of the exploitation and suitable mitigation strategies.
The agency recommends that medical device manufacturers provide justification for the security features chosen and consider appropriate security control methods, such as:
- Limiting access only to trusted users through methods such as multi-factor authentication, automatic log-off, strong passwords, and physical locks;
- Ensuring trusted content by methods such as restricting software and firmware updates to authenticated code, and securing data transfer to and from the device through encryption; and
- Using fail-safe and recovery features in devices.
In addition to the guidance for medical device manufacturers, FDA also issued a "safety communication" to medical device manufacturers, hospitals, medical device user facilities, healthcare IT and procurements staff, and biomedical engineers.
"The FDA is recommending that medical device manufacturers and healthcare facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyber-attack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks," the document notes.
The FDA recommends healthcare organizations, including hospitals, "take steps to evaluate your network security" and take such steps as:
- Restricting unauthorized access to the network and networked medical devices;
- Making certain appropriate antivirus software and firewalls are up-to-date;
- Monitoring network activity for unauthorized use;
- Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services;
- Contacting the device manufacturer if a cybersecurity problem is suspected;
- Developing and evaluating strategies to maintain critical functionality during adverse conditions.
Threats on Horizon
Patel says cybersecurity threats are increasing, but the FDA "is not aware of any patient injuries or deaths associated with these incidents. Still, we think the threats on the horizon will get bigger, not smaller ... and we want to keep patients safe."
The FDA "does not have any indication that any specific devices or systems in clinical use have been purposely targeted at this time," according to the safety communication. "The FDA has been working closely with other federal agencies and manufacturers to identify, communicate and mitigate vulnerabilities and incidents as they are identified."
Olson, the CISO at Beth Israel Deaconess Medical Center, says: "Going forward, the challenge will be to find that right balance where the vendor provides security 'options' within their product ... thus allowing the user to select the right combination that best fits their security needs and business. This guidance provides just the right amount of motivation for that to occur," he says.
Kevin Fu, a professor and medical device researcher at the University of Michigan, says the guidance "won't be a silver bullet, but I'm optimistic it will help" to address cybersecurity threats to medical devices. "This is really a new issue for FDA. It would've been nice to have seen guidance sooner considering the growth of [web-enabled] medical devices. But these are complex issues, so better late than never."