The US Food and Drug Administration (FDA) today released a major guidance document regarding security standards for medical device products, a response, FDA said, to increasing concerns about emerging and persistent vulnerabilities in medical devices that left them - and their patients - susceptible to accidental and purposeful harm. When implemented, the guidance would permit the agency to block a premarket application for a device if it does not have adequate cybersecurity controls.
The last several years have brought a drumbeat of warnings from security researchers, analysts and government agencies regarding the susceptibility of medical devices to hacking attempts. An April 2013 report from the National Institute of Standards and Technology (NIST) called on FDA to be given the authority to assess the security of medical devices before they are allowed to market, as well as the formation of a postmarketing surveillance database to track software vulnerabilities.
Then, in May 2013, the Department of Homeland Security (DHS) issued a similar warning, noting that FDA was then unable to regulate medical device use or users, including how they are linked together or configured within networks. This created issues, explains NCCIC, as the security of each individual network largely dictates how secure each individual device is.
The report went on to note four principal factors affecting medical device security:
- Many devices are "legacy" medical devices approved before the adoption of the 1976 Medical Device Amendments, and are thus not subject to premarket approval testing by FDA.
- Some devices now come equipped with advanced networking capabilities which may be confusing to end-users. This complicates efforts to properly secure the devices from network intrusion.
- Network security functions may be the first to be cut if a healthcare facility is looking to cut its budget because they are the least obvious to patients.
- Because many medical devices contain protected health information, some healthcare facilities may not wish to expose the devices to security upgrades released by the manufacturer.
GAO to FDA: Fix This Problem
But the most influential report of all was likely one issued in September 2012 by the Government Accountability Office (GAO), which found that devices were vulnerable to two types of problems: Basic, unintentional issues like signal interference, and more serious "unauthorized accessing of a device," or hacking.
While conceding the potential for hackers to gain access to devices has thus far remained conceptual, GAO nevertheless said that medical devices exhibit a number of potential vulnerabilities-untested firmware and software, unsecured wireless connectivity and battery life among them-which could affect their safety and effectiveness.
Hackers, they continued, could tamper with a device's settings, disabling key functions of the device without a user's knowledge, obtaining sensitive data about a patient or causing a complete device malfunction. This could be accomplished through remote access vulnerabilities, interruptible wireless signals, unencrypted data transfers, susceptibility to interference, faulty warning mechanisms, reliance on outdated and obsolete technologies and the inability to download security patches.
In response to GAO's report, FDA said it planned to reassess how it views information security risks, particularly in its postmarket surveillance efforts, which is the setting in which most device vulnerabilities would be likeliest to emerge.
New FDA Guidance
Now, nearly a year later, FDA is out with a new draft guidance document that looks to be an attempt, albeit a non-regulatory one, to better address cybersecurity risks in medical devices.
The draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, explains that it has been developed to "assist industry by identifying issues related to cybersecurity that manufacturers should consider in preparing premarket submissions for medical devices."
"The need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information," FDA wrote.
In an interview with the Washington Post, FDA's William Maisel, deputy director of the Center for Devices and Radiological Health (CDRH) said the guidance was released in response to an "uptick" in cybersecurity problems. "The type and breadth of incidents has increased," Maisel said, adding that FDA is now "hearing about them weekly or monthly."
The guidance covers all device submission types, including premarket notification submissions (510(k)s), de novo petitions, premarket approval applications (PMAs), product development protocols (PDPs), and humanitarian device exemptions (HDEs).
The guidance establishes what FDA says are three main principles for information: confidentiality, integrity and availability. In other words, data must be accessible only to authorized users and for authorized purposes; must always be accurate, complete and properly modified; and must be available when and where it is needed.
Failure to maintain these principles can result in injury or death in patients, FDA noted.
The bigger question addressed by the guidance, however, is what manufacturers will be expected to do. While falling short of requiring specific security standards, FDA's guidance calls on industry to "consider cybersecurity during the design phase of the medical device," noting that such considerations can mitigate actual and potential risks.
These considerations should be documented under a cybersecurity risk analysis and management plan under the terms of 21 CFR 820.30(g), FDA added, including:
- identification of assets, threats, and vulnerabilities
- impact assessment of the threats and vulnerabilities on device functionality
- assessment of the likelihood of a threat and of a vulnerability being exploited
- determination of risk levels and suitable mitigation strategies
- residual risk assessment and risk acceptance criteria
Not all devices will be held to the same standards, FDA added. For example, a device that exists in a highly networked environment and that is responsible for keeping a patient alive should be subject to vigorous security controls, while a non-networked heart monitor might be subject to less rigorous ones.
Security, though, does not exist in a vacuum without tradeoffs, and FDA is careful to note that companies will need to balance the security of the device with its usability, including in the various environments in which it is used. "For example, security controls should not hinder access to the device during an emergency situation," FDA said. These trade-offs should be justified in a premarket submission.
Acceptable Security Features
The guidance also contains a laundry list of potential safety features that can be implemented, including:
- limiting access to devices through user authentication (e.g., user ID and password, smartcard)
- automatic timed user session log-offs
- differentiate privileges based on the user role
- strengthen password protection by avoiding "hardcoded" passwords and limit public access to passwords used for privileged device access
- where appropriate, provide physical locks on devices and their communication ports to minimize tampering
- require user authentication or other appropriate controls before permitting software or firmware updates
- restrict software or firmware updates to authenticated code
- use systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer
- ensure secure data transfer to and from the device, and when appropriate, use accepted methods for encryption
- implement fail-safe device features that protect the device's critical functionality, even when the device's security has been compromised
- implement features that allow for security compromises to be recognized, logged, and acted upon
- provide methods for retention and recovery of device configuration by an authenticated system administrator
In addition, the guidance document calls on companies to document the security features used in the design control portion of a premarket submission. Companies are advised to include a hazard analysis of security risks and ways to mitigate or avoid such risks, a traceability matrix that links controls to identified risks, a plan to update the medical device, documentation to ensure that a device is free from malware at the point of distribution, and instructions for use related to keeping a device free from viruses through the use of security software.
Comments on the draft guidance are due in 90 days.
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices