FDA Issues Draft Guidance on Device Cybersecurity
Medtech companies have been monitoring the U.S. Food and Drug Administration (FDA) for a few years now for any sign of medical device cyber security regulation. The agency has been talking about the issue, but no compliance regulations have been forthcoming. On June 14, the FDA released a draft guidance encouraging medical device manufacturers to develop cybersecurity controls in the design phase of product development—but there still are no binding regulations.
The guidance recommends device manufacturers document their risk analysis of cybersecurity threats and vulnerabilities as well as ways to mitigate those risks, such as through encryption.
According to Bakul Patel, senior policy adviser to the director of the FDA’s Center for Devices and Radiological Health, the finalized version of the guidance will establish “FDA staff expectations” for what to consider when reviewing devices. While nothing mandatory is set forth, manufacturers must understand that demonstrating full consideration of cybersecurity for their devices will help them in the pre-market approval, or 510(k) clearance processes.
“This draft guidance, when finalized, will represent the FDA’s current thinking on this topic,” the document reads. “You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulation.”
According to the FDA, this new safety guidance is intended to supplement its guidance for the content of premarket submissions for software contained in medical devices, and its guidance for cybersecurity for networked medical devices containing off-the-shelf software, both issued in 2005.
On June 13, the FDA issued a safety communication to manufacturers and healthcare organizations listing steps they should consider taking to mitigate cybersecurity risks to medical devices. For healthcare providers, those steps include making sure their anti-viral software and firewalls are updated, ensuring that access to networked devices is restricted and making sure that medical device makers are contacted about any cybersecurity issues.
“We are looking at how to raise awareness of these medical device cybersecurity issues,” Patel told GovInfoSecurity.com. “These are multi-stakeholder issues, and everyone needs to do their part.”
Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center in Boston, called the FDA announcements “a very positive step.” He said that the FDA “is placing a requirement on the manufacturers to acknowledge they need to be part of the solution in protecting their equipment at the customers’ location. It is a well-balanced approach, placing joint responsibility on the vendor and the user of the products. For security practitioners, the model of joint responsibility is ideal.”
The guidance includes suggestions such as adding limited-access features like password protection or card-access to devices, and even adding physical locks if appropriate; encrypting information; and including fail-safe device features so that if a device is interfered with, its critical functions will continue.
According to the agency, the general principles device manufacturers should keep in mind are confidentiality, integrity and availability. Confidentiality means that data, information, or system structures are accessible only to authorized persons and entities and are processed at authorized times and in the authorized manner, thereby helping ensure data and system security. Confidentiality provides the assurance that no unauthorized user has access to the data, information, or system structures. Integrity means that data and information are accurate and complete and have not been improperly modified. Availability means that data, information, and information systems are accessible and usable on demand.
There has not been any reported cases of wireless devices failing or causing harm due to malicious interference, but the FDA has stated in the past that it hopes to prevent any disasters by being proactive about cybersecurity.
The public has 90 days from the date of release to comment on the draft guidance.