Medical device cybersecurity is critical to patient safety and continues to attract attention from regulators, industry and even law enforcement. Unlike the imagined threats faced by our favorite space-bound toy with a badge, the threat of medical device compromise is very real and federal law enforcement has taken note.
A September 2022 Private Industry Notification issued to health care providers from the FBI identified some key risk areas:
- Default configurations and passwords;
- Devices with delayed vulnerability patching;
- Devices designed without security in mind;
- Internet of Things/connected devices;
- Specific device types, such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, intrathecal pain pumps; and
- End of life/legacy devices with minimal security patching/upgrades
This closely follows the recent FDA Draft Guidance which also emphasizes the impact of device connectivity to safety and effectiveness of medical devices. This guidance released April 8, 2022 is intended to replace 2018 draft guidance and includes investigational devices in its scope with the comment period closing on July 7, 2022. It emphasizes risk management throughout the “Total Product Life Cycle” to address device cybersecurity, including:
- Designing medical devices for cybersecurity (implementing cybersecurity as part of “software validation and risk analysis” as appropriate);
- Monitoring, identifying, and addressing cybersecurity vulnerabilities in devices that are on the market; and
- Outlining recommended content for premarket submission re: cybersecurity and encourages use of a Secure Product Development Framework.
FDA states in the Draft Guidance:
Software validation and risk analyses are key elements of cybersecurity analyses and demonstrating whether a connected device has a reasonable assurance of safety and effectiveness. FDA requires manufacturers to implement development processes that account for and address cybersecurity risks as part of design controls (21 CFR 820.30). For example, these processes should address the identification of security risks, the design requirements for how the risks will be controlled, and the evidence that the controls function as designed and are effective in their environment of use for ensuring adequate security.
How can manufacturers address device cybersecurity
What follows are some suggestions based on FDA draft guidance. While the guidance is still in draft, thus not binding, it signals FDA’s current thinking with regard to medical device cybersecurity and will help manufacturers better prepare to engage with FDA and with their customers on the topic of cybersecurity.
Design your device for cybersecurity
Companies should address security objectives such as maintaining authenticity, authorization, availability, confidentiality, and secure and timely updates/patching for the devices. FDA notes that “exploitation of known vulnerabilities or weak cybersecurity controls” is reasonably foreseeable and must be addressed in the device design. FDA also warns manufacturers that inadequate cybersecurity controls “may cause a device to be misbranded [...] among other possible violations...”
Address cybersecurity risk in premarket submissions
Address key security objectives and then describe how the device design actually addresses and integrates these security objectives based on the particular device (e.g., intended use and indication, electronic data interfaces, intended/actual environment of use, types of cybersecurity vulnerabilities present, exploitability of vulnerabilities, and risk of patient harm from exploited vulnerabilities.
Offer transparent cybersecurity information to device users
FDA suggests information should be provided about integrating device into the use environment, maintaining device cybersecurity over its lifecycle, and any information potentially affecting safety and effectiveness of the device. FDA also proposes that interconnected devices should include cybersecurity information in device labeling. The draft guidance suggests providing insufficient cybersecurity information to device users may compromise device safety and effectiveness.
Security risk management
FDA recommends separating safety and security risk assessments, noting that they focus on different things: safety risk assessment emphasizes probability of harm while security risk assessment focuses on exploitability and to “expose how threats, through vulnerabilities, can manifest patient harm and other potential risks.” Identified risks should be mitigated comprehensively in the design (or if not possible, in compensating controls). In cases where risks are only partially or not at all mitigated, they should be assessed further. As a last resort, risk transfer to users or even the patient may be necessary but these risks should be known, assessed, and communicated appropriately. Continue to identify, assess, and mitigate cybersecurity vulnerabilities throughout the entire lifecycle of the device using the company’s “Secure Product Development Framework”. Document, document, document – summarize risk evaluation methods, processes, details of assessments and mitigation undertaken. The risk management process must be traceable.
Customer awareness is increasing
FDA recently posted a video for “Cybersecurity Awareness Month” that recommends health care providers ask device manufacturers questions about cybersecurity, including:
- How is the device updated?
- What does it connect to?
- What happens if the connection is unavailable?
- What are the cybersecurity risks associated with the device?
- What cybersecurity resources do they have to support your patients?
- Who should you reach out to with questions if you have a concern?
Provider’s asking about device cybersecurity is not a new trend. Health care providers already have been increasing scrutiny of devices in recent years. But it does point to a future where medical device cybersecurity questionnaires are normative even for smaller providers.
Privacy remains a concern
If your medical device interacts with patient information, the Health Insurance Portability and Accountability Act (“HIPAA”), Federal Trade Commission (“FTC”) Act, or other laws may apply. This is especially critical for devices that have connectivity to systems managed by the device manufacturer. By designing your medical device for privacy and data security upfront and understanding the implications of your design choices when the device goes to market or enters a clinical trial phase, you will be better prepared for compliance with these requirements.
Key takeaways
- Design for security and address security risk management throughout the lifecycle (Secure Product Design Framework)
- Have a plan for cybersecurity vulnerabilities that are identified postmarket
- Plan how you will share cybersecurity risk information with FDA and device users
- Consider how cybersecurity affects device safety and effectiveness as well as patient privacy
- Be prepared to talk with FDA about cybersecurity
