Several entities are calling on the US Food and Drug Administration (FDA) to make changes to its recently released draft guidance on medical device cybersecurity, saying the guidance-which is intended to ensure that devices aren't easily susceptible to unauthorized intrusions or errors-either goes too far, doesn't go far enough or just needs changes in general.
The last several years have brought a drumbeat of warnings from security researchers, analysts and government agencies regarding the susceptibility of medical devices to hacking attempts. Several government reports, including ones from the US Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST), called on FDA to do more to ensure the safety of devices.
In June 2013, FDA answered that call, releasing a draft guidance document recommending that device manufacturers submit proof that their devices adhere to three principles: confidentiality, integrity and availability.
As the failure to ensure those principles might result in injury or death in patients, FDA said that companies that fail to consider the cybersecurity of their devices might be denied approval under its risk framework.
Then, in July 2013, FDA also announced its intent to launch a cybersecurity testing laboratory to "fuzz"--a process which subjects a piece of software to a barrage of unintended input data to find defects-medical devices in the hopes of finding vulnerabilities before a device makes it to market.
That fuzzing process is set to run off software developed by Codenomicon, a security testing company which recently weighed in on FDA's draft guidance, saying FDA needs to institute fuzzing requirements for all devices that are reliant on software for their proper functioning.
The risk, Codenomicon explains, lies primarily in zero-day exploits-those unknown to either the company or security researchers before it is exploited or triggered. Fuzzing requirements, the company said, would allow these defects to be fixed prior to the release of the product, "resulting in a safer, more robust and more secure product."
As a result, the company said it "strongly recommend[s] that FDA's guidance includes generational fuzzing, a testing technique for locating unknown vulnerabilities in all types of software, as a method of mitigating zero-day threats."
"In addition, premarket submissions should include test results demonstrating that the submitted product has passed all applicable generational fuzz testing," the company continued in its docket submission in the Federal Register.
The Limits of Suggestion
Other entities have also weighed in on the draft guidance, including the Center for Internet Security (CIS), a nonprofit security firm. In comments submitted to FDA's docket, CIS highlighted a perceived shortcoming of FDA's guidance: It's a guidance.
In other words, it is by its very nature non-binding, as opposed to a regulation, which is grounded in statute. Rather, a guidance is merely a strong suggestion that illustrates FDA's public understanding, and is most often intended to expedite approvals. Calling this a "major constraint," CIS said that even if FDA intends to place the cybersecurity testing components under its overall risk analysis for devices, the agency still lacks enforcement authority with which to compel compliance.
And this, too, raises another question: What is to be done about devices already on the market? FDA's guidance calls for all new devices to submit cybersecurity risk data, but says nothing about already-marketed products.
"Perhaps there will be forthcoming guidance for post-approval medical devices," CIS wrote, adding that it hopes this does occur given the large number of "vulnerable devices already in use in/by healthcare facilities … around the country." The ability to force these devices to make improvements would ultimately benefit patients, the group postulated.
CIS also commended FDA for the issuance of what it called "high-level" guidance, but recommended a narrower, more "prescriptive" approach to determine exactly which standards should be followed and how devices should be configured depending device type. Bringing together a working group of experts would prove useful in this regard, CIS added.
A Matter of Competition
And while many independent security experts weighed in, one comment from Lawrence Rochowicz stands out for its similarities to an issue that many generic pharmaceutical companies have complained about: access. In 2007, when FDA formalized Risk Evaluation and Mitigation Strategies (REMS) plans, which were intended to require some companies to submit plans to make it more difficult or misuse or abuse certain (i.e. riskier or more dangerous) products, some generic pharmaceutical companies complained that branded companies were engineering the restrictions to ensure that generic competitors could not get hold of their product to make copies of it.
Rochowicz's comments make close parallels to this scenario, saying he is "concerned that this document will be used by medical equipment manufactures to "severely limit" or "completely lock-out" all non-manufacture medical equipment servicers (i.e. hospital in-house certified clinical/biomedical engineers) from access to service and diagnostic tools required to assemble, install, adjusted, calibrate, test and perform maintenance on the medical equipment used on our patients."
"Manufacturers already use service keys, password of the day, service CDs and USB keys to limit our access," he continued. "Even after spending thousands of dollars to attend the official manufacturer training classes and becoming authorized or certified to service their medical equipment, keys and passwords become disabled or expired without purchasing additional service licenses or service contracts at exorbitant yearly fees."
In other words, could a system meant to promote security actually raise prices for hospitals-and ultimately consumers-by creating a de-facto monopoly on servicing and maintaining products?
Comments on the draft guidance remain open until 12 September 2013, after which time we'll see if FDA agrees with the sentiments of Codenomicon, CIS or Rochowicz.
FDA Docket on Cybersecurity Guidance