On October 2, 2014, the Food and Drug Administration (FDA) released a final guidance document titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. The FDA said that the “need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information.” The FDA defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.” The cybersecurity of medical devices gained media attention last year when former Vice President Dick Cheney revealed that his doctor had the wireless function of Cheney’s implanted defibrillator replaced due to fears that a terrorist could hack the device and assassinate the Vice President.
The guidance document identifies cybersecurity issues that manufacturers should consider when designing and developing their medical devices and information they should include when preparing their FDA medical device premarket submissions.
Cybersecurity Framework Core Functions
The FDA recommends that medical device manufacturers consider the following cybersecurity framework core functions to guide their cybersecurity activities: Identify, Protect, Detect, Respond, and Recover. This is the same framework proposed by the National Institute of Standards and Technology.
Identify and Protect
The FDA notes that the cybersecurity vulnerability of medical devices will vary and, accordingly, so will the extent to which security controls are needed. For example, medical devices capable of connecting (wirelessly or hard-wired) to another device, to the Internet or other network, or to portable media (e.g., USB or CD) are more vulnerable to cybersecurity threats than devices that cannot be connected. Manufacturers should also balance cybersecurity safeguards with the usability of the device in its intended environment of use.
The FDA provides the following non-exhaustive list of examples of security functions that can be used to protect medical devices:
- Limit access to devices through the authentication of users (e.g., user ID and password, smartcard, biometric).
- Use automatic timed methods to terminate sessions within the system where appropriate for the use environment.
- Where appropriate, employ a layered authorization model by differentiating privileges based on the user role (e.g., caregiver, system administrator) or device role.
- Use appropriate authentication (e.g., multi-factor authentication to permit privileged device access to system administrators, service technicians, maintenance personnel).
- Strengthen password protection by avoiding “hardcoded” password or common words (i.e., passwords which are the same for each device, difficult to change, and vulnerable to public disclosure) and limit public access to passwords used for privileged device access.
- Where appropriate, provide physical locks on devices and their communication ports to minimize tampering.
- Require user authentication or other appropriate controls before permitting software or firmware updates, including those affecting the operating system, applications, and anti-malware.
- Restrict software or firmware updates to authenticated code. One authentication method manufacturers may consider is code signature verification.
- Use systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer.
- Ensure that data can be transferred securely to and from the device, and when appropriate, use methods for encryption.
Detect, Respond, Recover
The FDA recommends that manufacturers do the following to identify, respond to, and remedy the impact of security compromises on device functionality and end users/patients:
- Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use.
- Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event.
- Implement device features that protect critical functionality, even when the device’s cybersecurity has been compromised.
- Provide methods by which an authenticated privileged user can retain and recover device configuration.
Premarket Submission Cybersecurity Documentation
The guidance document lays out the types of cybersecurity information it recommends that manufacturers provide in their premarket submissions. The FDA states that the guidance document applies to the following five premarket submissions: Premarket Notification (501(k)) including Traditional, Special, and Abbreviated; De novo submissions; Premarket Approval Applications (PMA); Product Development Protocols (PDP); Humanitarian Device Exemption (HDE) submissions. The document calls for these types of information:
- Hazard analysis, mitigations, and design considerations pertaining to the cybersecurity risks associated with the medical device including: (a) a list of all cybersecurity risks that were considered in the design of the device; and (b) a list and justification for all cybersecurity controls that were established for the device.
- A “traceability matrix” that links the actual cybersecurity controls to the cybersecurity risks that were considered.
- A summary of the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness.
- A summary of the controls that are in place to maintain the integrity (e.g., remain free of malware) of the medical device software from the point of origin to the point at which that device leaves the control of the manufacturer.
- Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-virus software, use of firewall).
To follow up on the guidance document, the FDA will hold a public workshop, “Collaborative Approaches for Medical Device and Healthcare Cybersecurity,” on October 21–22, 2014, in Arlington, VA.