The threat of cyber-attacks against medical devices is real. Medical devices capable of connecting, wirelessly, wired, or to portable media such as a USB drive, are more vulnerable to cybersecurity threats than unconnected devices.
We now know that cyber-criminals can hack into medical networks through relatively simple means. Although there have been no documented cases of attacks on medical devices such as pacemakers, defibrillators, and infusion pumps, security researchers have warned the healthcare industry that it lags far behind the computer industry in protecting devices from hackers. FDA has also issued warnings regarding security flaws in certain medical devices and recalls have been initiated due to cybersecurity risks.
It was a warning such as this in 2018 that led Medtronic to disable internet updates to more than 34,000 of its CareLink programming devices that are used by healthcare providers around the world to access implanted pacemakers. This action was taken by the company after researchers discovered that the system was vulnerable to cyber-attacks. Understanding that the threat of such an attack can cause alarm to patients who may have devices connected to the CareLink network, the FDA issued a safety notice announcing that it had reviewed the matter and approved of Medtronic’s decision to disable the internet updates.
The FDA’s mission for any product under their purview is to ensure that it is safe and effective. This means that it must be safe during the development stage and must remain safe after it has been placed on the market. Essentially, the Agency is involved in the entire lifecycle of the product when it comes to cybersecurity. Its concern is not only to ensure that the product is safe and effective when used as intended, but also that the function of the device isn't compromised due to cybersecurity risks.
The Agency has published pre-market and post-market guidance documents that offer recommendations for comprehensive management of medical device cybersecurity risks, continuous improvement throughout the total product life-cycle, and incentivize changing marketed and distributed medical devices to reduce risk. A draft update to the pre-market guidance was issued in 2018.
Each guidance document was created based on the recognition that medical device security is a shared responsibility between stakeholders, which includes manufacturers of medical devices, healthcare facilities, providers, and patients. Failure to maintain adequate cybersecurity can result in compromised device functionality, loss of personal and medical information, or exposure of other connected devices or networks to security threats. Such exposure could result in patient illness, injury, or death.
These guidances are intended to assist the industry by identifying potential cybersecurity-related issues that manufacturers should consider when designing and developing a medical device as well as when preparing pre-market submissions for those devices.
It’s the FDA’s position that manufacturers focus on mitigating patient risk in a robust and efficient manner. This mitigation can be done by following the cybersecurity framework developed by the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover. In addition, the Quality System Regulation points to specific requirements regarding software validation and risk analysis in 21 CFR 820.30.
While identifying threats, manufacturers should balance cybersecurity safeguards and the usability of the device in its intended environment to ensure that the security controls are appropriate for the intended users. The Agency recommends that medical device manufacturers provide justification for the security functions chosen for their medical devices in their pre-market submission.
Manufacturers can protect users by limiting access to only trusted users. This can be done in ways that include the use of passwords, smartcards, biometric scanners, a layered authorization model, multi-factor authentication, physical locks on devices and their communication ports, and automatic timed methods to terminate sessions within the system.
Additional protections include restricting software or firmware updates to authenticated code, using systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer, and ensuring the security of data transfer to and from the device through encryption. Manufacturers should also:
Post-market guidance also follows NIST’s framework: Identify, Protect, Detect, Respond, and Recover.
Manufacturers are required to analyze complaints, returned products, service records, and other sources of quality data to identify existing and potential causes of nonconforming products or other quality problems (21 CFR 820.100). Manufacturers are encouraged to actively identify cybersecurity signals that might affect their product and engage with the sources that report them.
Regarding protection and detection, among other things, the FDA recommends that manufacturers characterize and assess identified vulnerabilities because doing so will provide information that will aid manufacturers with triaging remediation activities. When characterizing the exploitability of a vulnerability, manufacturers should consider factors such as remote exploitability, attack complexity, threat privileges, actions required by the user, exploit code maturity, and report confidence.
Manufacturers should conduct cybersecurity risk analyses that include threat modeling for each of their devices and update those analyses over time. The Agency also recommends that manufacturers analyze possible threat sources, which encompass the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.
Regarding responding and recovering, the Agency recommends that manufacturers assess and provide users with compensating controls such that the risk of patient harm is mitigated. Reporting and remediating are also essential components of any manufacturer’s response to a cybersecurity event.
Once all related information has been assessed and characterized, manufacturers should determine if the risk of patient harm presented by the vulnerability is adequately controlled by existing device features and manufacturer-defined compensating controls. Finally, the actions that are taken should reflect the magnitude of the problem and align with the risks encountered.
While cybersecurity is seen as a shared responsibility among all stakeholders, the ultimate responsibility for cybersecurity lies with the manufacturer. It’s their product, so it's their responsibility. Fortunately, the FDA has issued comprehensive recommendations that, if followed, will either prevent or mitigate the impact of a cybersecurity attack.
Are you in the process of developing a medical device vulnerable to cybersecurity threats? Do you manufacture such an approved medical device? Cybersecurity is critical regardless of where you are in the product development life cycle. We can help ensure that your device is as secure as possible and meets all FDA recommendations such as appropriate cybersecurity risk management documentation and labeling, plans for continuing support, and interoperability considerations. To learn more about our services and how we can help safeguard your medical device against possible security threats, contact us today.
August 20, 2018
On Thursday, August 16th, the FDA released a list of medical device accessories that have the potential to be reclassified as class I devices. Background According to section 513 of the Food, Drug, &...
August 31, 2015
Earlier this year, FDA published a report announcing that the Agency’s device program has shown “a pattern of markedly improved performance.” Over the past five years, FDA has been working to improve...
September 30, 2016
On Thursday, September 22nd, the FDA’s Center for Devices and Radiological Health (CDRH) released its regulatory science priorities for fiscal year 2017. CDRH & Regulatory Science According to CDRH,...