Medical devices can be vulnerable to security breaches in the same way as any other networked computing device. This may potentially affect its safety and effectiveness. The FDA (Food and Drug Administration) has issued final guidelines for manufacturers to consider cybersecurity risks as part of their medical device design and development. Its guidance contains voluntary recommendations and does not establish any legally enforceable responsibilities.
These security guidelines are significant in conveying to device manufacturers and stakeholders the current state of evolving key best practices in the medical device security. They are similar to the guidance issued by FDA in June 2013 and is part of the FDA’s efforts to improve the cybersecurity of medical devices.
FDA recommendations to mitigate and manage cybersecurity threats
The vulnerability of medical devices to threats has grown, as these products are increasingly connected to hospital networks, the internet and other medical devices. There is, therefore, a need for effective cybersecurity to assure the functionality and safety of the medical device.
In response, the FDA has developed the guidance document to assist manufacturers in identifying issues related to cybersecurity which should be considered when designing and developing medical devices and preparing for their pre-market submissions.
FDA recommends that manufacturers consider cybersecurity risk as a part of the medical device design and development and that they submit documentation to FDA about the identified risks. These manufacturers also should consider putting controls in place that will help mitigate those risks. The document provides recommendations to the manufacturers on plans to provide updates, as well as patches for the operating systems and the medical software.
Security measures to be considered by device manufactures
The Food and Drug Administration suggests following security measures which should be considered by medical device manufacturers to protect them from instances of unauthorized access:
- Authentications must be used to limit the access for medical devices to trusted users. The various authentication methods such as username and password, biometrics, and smart card or multi-layered authentication can be used.
- Make sure the data is transferred securely to and from the medical device using encryption wherever appropriate.
- Implement functionalities that allow analysts to detect, recognize, log, time, and act upon any security compromises.
- Provide end users with the information regarding appropriate actions to be taken when a cybersecurity event is detected.
Key information for premarket submission
The FDA has also provided an outline for key information to be provided by the manufacturers in their premarket submission for FDA product approval related to medical device cybersecurity. It includes:
- Hazard analysis, risks, and design considerations connected to the medical devices.
- Traceability matrix that links the actual cybersecurity controls to the risks that were considered.
- A summary that mentions which controls are in place to make sure the medical device software will maintain its integrity from the point of origin to the point at which device leaves the control of the manufacturer.
- Instructions for use of various cybersecurity controls like firewalls or anti-virus software.
- A summary containing the plan to provide validated software patches and updates through the medical device lifecycle to assure its effectiveness and safety continually.
The authority may not require approving or reviewing any medical device software changes that are made only to strengthen cybersecurity. Thus, manufacturers do not have to resubmit their devices to FDA for re-approval when they consider anti-malware updates or issuing patches to address any new cyber threats.
Most security experts agree that the new guidance is indeed a step in the right direction to boost cybersecurity in medical devices. The guidance takes a reasonable and risk-based approach to its cybersecurity recommendations to manufacturers. In the light of rapidly expanding adoption of consumer health devices and apps, mobile health, wearable devices, and telemedicine, manufacturers need to focus on security and privacy aspects of medical devices.
About the Author: Shuchi Sankhyayan is a Mumbai based Content Specialist who has spent 15+ years romping around the healthcare, medical device, manufacturing, content and software industries. She is currently a Content Specialist at Technosoft Innovations, Inc. where she documents and presents the latest researches and innovations of the company in medical devices industry. She holds a graduate degree in Science and Post-Graduation degree in HR. In her spare time she is an avid reader, hobbyist and enjoys sharing Medical Device Development knowledge and experience via her posts and articles.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.