FDA Aims To Improve Medical Device Security

The FDA on April 8 posted to its website a draft document proposing recommendations to increase the cybersecurity of medical devices. The document is titled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff.

“With the increasing integration of wireless, Internet- and network- connected capabilities, portable media (e.g., USB or CD), and the frequent electronic exchange of medical device related health information, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important,” the document reads.

Effective cybersecurity relies upon security being “built-in” to a device, and not “bolted-on” after the device is designed because cybersecurity threats to the health care sector have become more frequent and severe, according to the FDA.

Cybersecurity incidents have rendered medical devices and hospital networks inoperable and have disrupted patient care across healthcare facilities in the United States and elsewhere.

In the draft document, which contains nonbinding recommendations, the FDA noted that “the safety and security risks of each device should be assessed within the context of the larger system in which the device operates. In the context of cybersecurity, security risk management processes are critical because, given the evolving nature of cybersecurity threats and risks, no device is, or can be, completely secure.”

The FDA listed the following security objectives: authenticity (including integrity), authorization, availability, confidentiality, and secure and timely updatability and patchability. The agency advises that premarket submissions should include information describing how these security objectives are addressed by an integrated into device design.

“Because exploitation of known vulnerabilities or weak cybersecurity controls should be considered reasonably foreseeable failure modes for systems, these factors should be addressed in the device design,” the FDA wrote.

Michael K. Hamilton, Chief Information Security Officer for Critical Insight, a cybersecurity company in Bremerton, Washington, said the Biden Administration has taken significant steps toward helping to bridge the gap between the public harm done by cyberattacks against the health sector and the private responsibility for security. “Creating security standards for medical device security is another facet of this strategy, and while a bit late to the game, very welcomed as it provides the opportunity to transfer the responsibility for device security to manufacturers rather than continuing to expect that the health sector will provide the resources to do so,” Hamilton said.

“Cyberspace is continuously evolving, and with the growing number of cybercriminals, it is always a cat and mouse game,” said Mohiuddin Ahmed, PhD, a cybersecurity and data analytics expert at Edith Cowan University’s School of Science in Perth, Australia. “I appreciate the new FDA guidance, but it could have been imposed earlier.”

Although cybersecurity has improved significantly in the past few years, there is no room for complacency, Dr Ahmed said. “Cybercrime is a trillion-dollar business. Unless we go back to non-Internet days, there will always be cyber incidents, especially in health care, as the cybercriminals know the pressure points,” he said.

Hamilton said the FDA’s recommendations make sense and have to potential to improve the cybersecurity of medical devices. “Knowing that these devices are confirmed secure when delivered, and with strategies to maintain security through routine vulnerability detection and updates, provides a bit of breathing room for overtaxed technology security professionals working in the health sector.”

Lynne Coventry, PhD, Professor of Human Cybersecurity at Northumbria University in Newcastle upon Tyne, UK, who has studied the fundamental tension between privacy/security goals and the traditional medical goals of utility and safety, said health care systems may be more vulnerable now because of the COVID-19 pandemic, which has increased the workload and contributed to fatigued health care personnel, she noted. The result could be less vigilance regarding cybersecurity as personnel focus their reserves on patient care.

Throughout history, medical professionals have protected public health and responded to health threats. Their ability to do that is being threatened by risks associated with connecting medical devices to computer networks, Prof Coventry said. “Cybersecurity is not just a technical problem to solve. It is a complicated sociotechnical problem. Reducing cybersecurity risks also requires addressing interconnected social, business and legal aspects,” she said.