Guidance On Cybersecurity For Medical Devices
I have a niece who is a nurse, a traveling nurse, who floats from one hospital to the next, filling in labor shortages. This spring, she started working at a hospital in California, which was hit with a cyberattack on her first day of orientation.
It may have been the famously-reported Scripps hospital system attack, but it’s hard to tell because she never told me which hospital she worked at, and because cyberattacks are surprisingly common for hospitals. Why you ask? Because paying the ransom is the quickest option for regaining access to patient data and resuming patient care.
In fact, this is the option that her employer selected to resolve the issue. It angered me that a rogue group of criminals could steal from sick people and an already COVID-strained healthcare system just to make a million dollars, and the hospital so easily acquiesced to such an unscrupulous demand.
This article offers guidance on cybersecurity for medical devices and how companies can take effective steps to avoid things like a cyber attack.
FDA Guidance Documents For Cybersecurity
In a world like ours, it is important for medical devices to be designed with cybersecurity in mind, and the FDA has taken notice. Two FDA Guidance Documents summarize the FDA’s thinking on what constitutes a full, risk-based, lifecycle approach to cybersecurity defense in a medical device: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, and Postmarket Management of Cybersecurity in Medical Devices.
What’s Not Covered In Cybersecurity Guidances?
To understand the FDA’s thinking, it is important to understand what isn’t covered in the cybersecurity guidances. The Cybersecurity guidances are not a supplement to FDA requirements for data integrity; they are not an extension of 21 CFR Part 11, for electronic signatures and electronic records within the medical device firm’s quality management system.
The FDA doesn’t care about the cybersecurity of electronic signatures and records, possibly because they are aware that medical device firms have an economic stake in protecting their own data – but not so much for data belonging to their customers. The cybersecurity guidance is all about protecting users and operators of the medical device.
Cybersecurity Bill of Materials
A new concept for the cybersecurity guidance is the Cybersecurity Bill of Materials (CBOM). The CBOM lists all open source, off-the shelf, software and hardware components, whether commercially available or not, which could become subject to vulnerabilities.
What Is CBOM?
The CBOM is a lynchpin that connects numerous software design documents, including cybersecurity risk assessment, an aid to finding appropriate suppliers for system components, and should be included in customer labeling so customer understand the composition of their systems.
The CBOM should be cross-referenced with the National Vulnerability Database (NVD) or similar, to identify potential vulnerabilities. The software system the CBOM should also be in both human-readable and machine-readable formats.
Why Reference CBOM?
The CBOM requirement may seem onerous, but the FDA recognizes that the use of existing software to build new system functionality has risks, much in the same way that the U.S. government was hit with e-mail security breaches in 2021 through purchased SolarWinds software.
This software was found to be caused by surreptitiously inserted lines of code to permit remote access by cybercriminals. Once remote access was enabled, criminals could break into the computers to steal data or install other forms of malware. The SolarWinds breach was called by some an “act of war.” A similar breach on medical device software has the potential to harm thousands, perhaps millions, of people.
Cybersecurity Medical Device Requirements
Other requirements for cybersecurity mirror general medical device requirements. Let’s take a look at a few of the requirements.
- Design control
- Design validation
- Software validation
- Post-market surveillance
The requirements extend from the device to include its latent cybersecurity risks, and therefore may take new shape. For example, cybersecurity risk assessments may look different from a typical FMEA. The FDA recommends using a risk assessment tool focused on cybersecurity called the Common Vulnerability Scoring System SIG.
Follow Post-Market Practices
The FDA also recommends using the following standards in post-market practices, once encountering a new vulnerability or breach:
- ISO/IEC 30111:2013: Information Technology: Security Techniques – Vulnerability Handling Processes
- ISO/IEC: 29147:2014: Information Technology ̶ Security Techniques ̶ Vulnerability Disclosure
Postmarket surveillance should monitor both for patient harms and data security breaches.
Understand FDA’s Approach To Cybersecurity
Most important, the FDA’s approach to cybersecurity is risk-based. The FDA identifies two tiers for software-driven medical devices:
- Tier 1 category being the riskiest because such software is capable of connecting to another medical device and/or a network and/or the Internet, potentially resulting in patient harm.
- Tier 2 is for any medical device with software that is not a Tier 1. Rationale for the device’s tier rating must be documented.
Features To Consider For Medical Devices With Software
In either case, the list below identifies features to consider for a medical device containing software:
- Prevention of unauthorized access, through access levels, session timeouts, password strength, and multi-factor authentication.
- Access limited to trusted devices; requiring higher-level users to grant permissions to connecting to the network, data transfer only through unique encrypted channels, handshakes to authenticate through devices, use of authentication tags and message authentication codes.
- Data confidentiality, especially for protected health information (PHI) to HIPAA, or GDRP as appropriate to jurisdiction, Assure that credentials and encryption are secure.
- Automated channels to detect and mitigate breaches, including automatic breach detection and alerts, use of anti-virus software, features to easily capture forensic evidence, as well as quick patching capability to minimize downtime in the event of a breach.
- Medical device labeling to describe features protecting critical functionality, customer infrastructure requirements, how to capture forensic evidence, descriptions of interfaces/ports/ etc., and how to protect them, the CBOM, system diagrams, and servicing information.
How Will You Ensure Your Medical Devices Are Secure?
With the above in mind, it is important for quality assurance departments collaborate with IT experts to design medical device software that can continually improve. Medical device companies should not only evaluate cybersecurity risks to the device itself, but to the other devices that interface with it, to further assure patient safety.
The FDA recommends a coordinated vulnerability evaluation and disclosure policy because as we know, the field of cybersecurity constantly evolves as cybercriminals continually hone their craft.