The same data management technology used in consumer devices such as personal computers, smartphones, and tablets is increasingly being found in medical devices and is used to manage and transfer critical health information over wireless networks.
To address the issues related to cybersecurity, the FDA has published the guidance document “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices“. This guidance document identifies cybersecurity elements that manufacturers should consider in designing and developing medical devices, as well as in preparing premarket submissions for those devices.
The FDA identifies effective cybersecurity management as a means “to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.” While medical device manufacturers should develop a set of cybersecurity controls to assure device functionality and safety, the FDA recognizes that there is a shared responsibility between healthcare facilities which incorporate those devices into their systems, and the patients and providers who operate them.
The FDA has identified the following cybersecurity framework core functions as important for consideration during the development of a medical device:
Identify and Protect
Manufacturers should identify how the device is intended to be used and the types of possible external connections available to the device. Security controls should then be designed into the device based on these areas of vulnerability to limit the potential risk to the patient. The location where the device is intended to be used should also be considered — a device intended for home use may require separate security design elements compared to one used in a health care facility.
The types of security functions to consider for the protection of medical devices include limiting access to trusted users only through appropriate passwords and authorization methods and ensure trusted content by restricting software or firmware updates to authenticated code.
Detect, Respond, Recover
Manufacturers should design features into their devices that enable detection of a security compromise during normal use, including the time and type of compromise that occurred.
Information should also be provided to the end user describing appropriate actions to take upon the detection of a cybersecurity event. Critical device functionality should be maintained even during a cybersecurity compromise and methods of retention and recovery by authorized users should be available.
The FDA has identified the following documentation for inclusion in a premarket submission:
- Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device, including:
A specific list of all cybersecurity risks that were considered in the design of the device.
A specific list and justification for all cybersecurity controls that were established for the device.
- A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks that were considered;
- A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness.
- A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g., remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer; and
- Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall).
With the potential for security breaches occurring from multiple sources and the ever-evolving, shared-technology platforms increasingly used by medical devices, it is important that manufacturers takes the necessary steps to protect their devices for cybersecurity threats and mitigate risks to the patient.