FDA Issues Guidance on Medical Device Cybersecurity

By Luis Salazar July 3, 2013 Posted in Firm News

Here’s something a bit unnerving: life-saving and life-enhancing medical devices – pacemakers, patient monitors, and imaging scanners, for example – are vulnerable to hackers and malicious intrusions. Those vulnerabilities can, of course, have catastrophic impacts on patients who rely on those devices, but even patient fear of these vulnerabilities can have adverse repercussions. Patients may simply avoid updating or servicing their devices.

The Guidance provides recommendations to consider and document in FDA medical device premarket submissions to provide effective cybersecurity management and to reduce the risk that device functionality is intentionally or unintentionally compromised. The Guidance defines cybersecurity as the process of preventing unauthorized modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.

The Guidance recommends that manufacturers should develop a set of security controls to assure medical device cybersecurity in three areas.

First, manufacturers should ensure information confidentiality, requiring that data, information, or system structures be accessible only to authorized persons and entities and be processed at authorized times and in the authorized manner, thereby helping ensure data and system security. Second, manufacturers should ensure information integrity, requiring that data and information be accurate and complete and not improperly modified. And, third, manufacturers should ensure information availability, requiring that data, information, and information systems be available when needed.

The Guidance urges manufacturers to consider cybersecurity during the design phase of the medical device, and should define and document the components of their cybersecurity risk analysis and management plan as part of the required risk analysis for product approval. For example, manufacturer’s risk analysis should: consider and identify assets, threats, and vulnerabilities; assess the impact of the threats and vulnerabilities on device functionality; assess the likelihood of a threat and of a vulnerability being exploited; and determine risk levels and suitable mitigation strategies.

The FDA also recommends that medical device manufacturers provide justification in the premarket submission for the security features chosen and consider appropriate security control methods for their medical devices. Those controls can include limit access to devices through the authentication of users (e.g., user ID and password, smartcard, biometric), using automatically timed user session log-offs, and using multi-factor authentication to permit privileged device access (e.g., to administrators, service technicians, maintenance personnel). Where appropriate, manufacturers should even include physical locks on devices and their communication ports to minimize tampering. A manufacturer’s chosen controls should also include mechanisms to ensure trusted content, such as restricting software or firmware updates to authenticated code, and ensuring secure data transfers to and from the device, and when appropriate, use accepted methods for encryption. And, in the event these measures fail, manufacturers should include fail safe and recovery procedures that protect the device’s critical functionality, even when the device’s security has been compromised, and that allow for security compromises to be recognized, logged, and acted upon.

The Guidance also specifies that, in the premarket submission, manufacturers should provide the following information related to the cybersecurity of their medical device:

1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:

• A specific list of all cybersecurity risks that were considered in the design of your device;

• A specific list and justification for all cybersecurity controls that were established for your device.

2. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered;

3. To assure continued safe and effective device use, the systematic plan for providing validated updates and patches to operating systems or medical device software, as needed, to provide up-to-date protection and to address the product life-cycle;

4. Appropriate documentation to demonstrate that the device will be provided to purchasers and users free of malware; and

5. Device instructions for use and product specifications related to recommended anti-virus software and/or firewall use appropriate for the environment of use, even when it is anticipated that users may use their own virus protection software.