The Food and Drug Administration (FDA) has issued its final guidance on cybersecurity functionality and safety controls, establishing considerations for the design, development and premarket submissions related to medical devices. The FDA issued an earlier draft of the guidance on June 14, 2013.

The guidance responds to the rapid evolution of medical devices into special purpose computers that collect and store increasing amounts of medical data. Devices that connect (wirelessly or hard-wired) to other medical devices, the Internet, a network, or portable media are especially vulnerable to cybersecurity threats.

Data security professionals have noted that cyber-attacks of late have focused less on patient information and more on the technology that supports the healthcare industry. The guidance appears to take into account this shifting target, focusing on security controls that preserve the medical device’s functionality and integrity.

With its impact on the content of a manufacturer’s premarket submission to the FDA, the guidance compels manufacturers to plan security functions early in the development process rather than tacking them on later as an afterthought. The goal is to provide security that is not simply generic and untailored. The documentation to be submitted includes not only a hazard analysis and summary of security controls but also a “traceability matrix” that ties a specific security function to the precise risk identified in the hazard analysis. The required security controls must also address the full life cycle of the medical device, including authentication for software and firmware updates.

In particular, the FDA lists examples of security functions that developers are to consider when appropriate for the use environment:

  • Limiting access to devices through the authentication of users (e.g. user ID and password, smartcard, biometric), including multi-factor authentication to permit privileged device access;
  • Using automatic timed methods to terminate sessions within the system;
  • Employing a layered authorization model by differentiating privileges based on the user role (e.g. caregiver, system administrator) or device role;
  • Strengthening password protection by avoiding “hardcoded” password or common words;
  • Providing physical locks on devices and their communication ports to minimize tampering;
  • Requiring user authentication or other appropriate controls before permitting software or firmware updates, including those affecting the operating system, applications, and anti-malware;
  •  Restricting software or firmware updates to authenticated code, e.g. code signature verification;
  •  Using systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer; and
  •  Ensuring capability of secure data transfer to and from the device, and when appropriate, using methods for encryption.

In its press release announcing the new guidance the director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health (CDRH) stated, “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”

The FDA also announced that on October 21-22, 2014 the FDA, the Department of Homeland Security (DHS), and the Department of Health and Human Services (DHHS) will host a public meeting entitledCollaborative Approaches for Medical Device and Healthcare Cybersecurity. This meeting will seek input from all stakeholders, including medical device manufacturers, health care providers, biomedical engineers, IT system administrators, professional and trade organizations, insurance providers, cybersecurity researchers, government staff, and information security firms to more fully address medical device cybersecurity.

As newer wireless technologies that enhance medical device functionality continue to proliferate, manufacturers can expect more regulation and guidances concerning their premarket submissions from governmental agencies intent on anticipating and responding to emerging cyber risks.