FDA Issues Guidance on Medical Device Cybersecurity

By Luis Salazar

Here’s something a bit unnerving: Life-saving and life-enhancing medical devices—pacemakers, patient monitors and imaging scanners, for example—are vulnerable to hackers and malicious intrusions. Those vulnerabilities can, of course, have catastrophic impacts on patients who rely on those devices, but even patient fear of these vulnerabilities can have adverse repercussions. Patients may simply avoid updating or servicing their devices.

In an effort to address these concerns, the Food and Drug Administration (FDA) issued draft guidance on June 14, 2013, entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices." The FDA developed the guidance to assist the medical-device industry by identifying issues related to cybersecurity that manufacturers should consider in preparing premarket submissions for medical devices. The need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information.  

The guidance provides recommendations to consider and document in FDA medical device premarket submissions to provide effective cybersecurity management and to reduce the risk that device functionality is intentionally or unintentionally compromised. The guidance defines cybersecurity as the process of preventing unauthorized modification; misuse or denial of use, or the unauthorized use of information that is stored, accessed or transferred from a medical device to an external recipient.

The guidance recommends that manufacturers should develop a set of security controls to assure medical device cybersecurity in three areas.

First, manufacturers should ensure information confidentiality, requiring that data, information or system structures be accessible only to authorized persons and entities and be processed at authorized times and in the authorized manner, thereby helping ensure data and system security. Second, manufacturers should ensure information integrity, requiring that data and information be accurate and complete and not improperly modified. And, third, manufacturers should ensure information availability, requiring that data, information and information systems be available when needed.

The guidance urges manufacturers to consider cybersecurity during the design phase of the medical device and define and document the components of their cybersecurity risk analysis and management plan as part of the required risk analysis for product approval. For example, manufacturers' risk analysis should: consider and identify assets, threats and vulnerabilities; assess the impact of the threats and vulnerabilities on device functionality; assess the likelihood of a threat and of a vulnerability being exploited, and determine risk levels and suitable mitigation strategies.

The FDA also recommends that medical device manufacturers provide justification in the premarket submission for the security features chosen and consider appropriate security control methods for their medical devices. Those controls can include limiting access to devices through the authentication of users; e.g., user ID and password, smartcard, biometric, using automatically timed user session log-offs and using multi-factor authentication to permit privileged device access; e.g., to administrators, service technicians, maintenance personnel. Where appropriate, manufacturers should even include physical locks on devices and their communication ports to minimize tampering. A manufacturer’s chosen controls should also include mechanisms to ensure trusted content, such as restricting software or firmware updates to authenticated code and ensuring secure data transfers to and from the device, and when appropriate, use accepted methods for encryption. And, in the event these measures fail, manufacturers should include failsafe and recovery procedures that protect the device’s critical functionality, even when the device’s security has been compromised, and that allow for security compromises to be recognized, logged and acted upon.

The guidance also specifies that, in the premarket submission, manufacturers should provide the following information related to the cybersecurity of their medical device:

  1. Hazard analysis, mitigations and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:

    • A specific list of all cybersecurity risks that were considered in the design of your device;
    • A specific list and justification for all cybersecurity controls that were established for your device.
  1. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered;
  2. To assure continued safe and effective device use, the systematic plan for providing validated updates and patches to operating systems or medical device software, as needed, to provide up-to-date protection and to address the product life-cycle;
  3. Appropriate documentation to demonstrate that the device will be provided to purchasers and users free of malware; and
  4. Device instructions for use and product specifications related to recommended anti-virus software and/or firewall use appropriate for the environment of use, even when it is anticipated that users may use their own virus protection software.

Comments are due within 90 days of publication, or by September 12, 2013.

Luis Salazar

Luis Salazar is the founder of Salazar Jackson, LLP, a Miami-based law firm. He leads the firm’s privacy practice and can be reached at salazar@salazarjackson.com.