The Food and Drug Administration (FDA) issued guidelines this month recommending that manufacturers develop a set of cybersecurity controls in the design of medical devices capable of connecting to the Internet, a network, or portable media.1 Manufacturers should not only identify the cybersecurity risks associated with the device, but also develop a way for the appropriate stakeholders to detect and respond to security compromises.2
The purpose of the guidelines is to ensure the functionality and safety of medical devices from intentional or unintentional cybersecurity risks.3 While interconnected devices can improve patient care and create healthcare efficiencies, they are vulnerable to security breaches.4 The FDA’s cybersecurity concerns include malware infections that can spread over networks to medical devices, unsecured distribution of passwords, untimely software updates and patches, and security vulnerabilities in off- the-shelf software.5
Though the guidelines are recommendations that do not have the force of law,6 the FDA has made clear that it will use these guidelines in clearing medical devices for commercial distribution. Failure by medical device companies to comply with the guidelines and adequately describe the cybersecurity measures implemented in the device may delay or even prevent the FDA from approving a premarket application.
The FDA guidelines provide direction for how medical device companies should document cybersecurity measures for premarket submissions of medical devices. Documentation should include a list of the cybersecurity risks the manufacturer considered in the design of the device, a list of the cybersecurity controls incorporated in the device, justifications for how the controls respond to the risks, and a plan for how to validate software updates and patches.7 These documentation requests highlight the importance of considering security measures during the design of a medical device and not as an afterthought.
The FDA’s guidelines recognize the need to balance security measures with usability of the device in the design of security controls. The controls should account for the unique usability challenges of a health care setting
where unauthorized users may need to access a medical device, such as when an emergency room physician without prior authorization needs immediate access to a patient’s device.8 One suggestion is to use a layered authorization model with differentiated privileges for different users.9 The FDA also recommends that hospitals and other health care facilities evaluate the security of their networks and implement ways to protect the hospital system.10 Common forms of cyber protection, such as hardcoded passwords in which each device has the same password, leave devices vulnerable to hacking if the hospital is using an unsecured network.11
The issuance of these guidelines highlights the need for medical device manufacturers and health care facilities to think about cybersecurity as an integral part of providing health care. The FDA’s decision to release these guidelines, despite no indication that certain devices or systems have been targeted and no known harm to patients from security breaches,12 demonstrates the need for manufacturers and health care facilities to take proactive measures to protect patients from cybersecurity risks. As manufacturers design and develop new medical devices, they should identify risks based on the intended use and intended environment for the devices13 so that they can develop tailored cybersecurity controls. Manufacturers and health care facilities should also test existing devices and networks for cyber vulnerabilities and provide software updates and patches as needed.