In a set of guidelines finalized on Wednesday titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” the FDA has made recommendations to medical device manufacturers on managing security risks and best protecting patient health and data.
Considerations include limiting access to devices through authentication, using appropriate authentication such as multi-factor authentication, requiring user authentication or other controls for updating software and firmware, and avoiding “hardcoded” passwords or common words and limiting public access to passwords used for privileged device access, according to the guidelines.
Devices should differentiate privileges based on the user role or device role, use automated timed methods to terminate sessions within the system, and ensure secure data transfer to and from the device possibly through encryption, the guidelines indicate. Additionally, physical locks should be used on devices and communication ports to minimize the chances of tampering.
Furthermore, features should be implemented so security compromises can be detected, logged, timed and acted upon during normal use, and other features should protect critical functionality during a compromise, according to the guidelines. Information should be made available to users regarding actions to take during a compromise and for retention and recovery of device configurations.
The FDA suggests that manufacturers justify these chosen security functions in their premarket submissions.
“Specifics will be forthcoming, but it seems likely that they'll somehow overlay the extra development steps on any device which has a network interface at a minimum, and possibly can be accessed via other interfaces like USB and others – basically devices that represent a potential digital attack vector,” Cameron Camp, a security researcher at ESET, told SCMagazine.com in a Thursday email correspondence.
The underlying idea in these guidelines is to address security during design and development – not doing so could result in compromised device functionality, loss of medical or personal data availability or integrity, or exposure of other connected devices or networks to security threats, according to the guidelines.
“Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by [the Code of Federal Regulations],” the guidelines state.
According to the guidelines, the approach should address: identification of assets, threats and vulnerabilities; assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; assessment of the likelihood of a threat and of a vulnerability being exploited; determination of risk levels and suitable mitigation strategies; and assessment of residual risk and risk acceptance criteria.
The scope of security controls is based on many variables, including how the device is being used, where it is being used, and whether it contains electronic data interfaces, as well as the likelihood of vulnerabilities being intentionally or unintentionally exploited and probable risk of patient harm as a result of a breach, the guidelines indicate, adding that manufacturers should be careful when balancing security and usability.
Camp said that medical devices have a lengthy and expensive development timeline and that many devices in service today had almost no digital security context when developed.
“That means the network and digital features and interfaces often are vulnerable, if left unprotected, to exploits which are years old,” Camp said. “For example, some operating room computers run Windows XP and specifically have automatic logouts disabled so doctors can access them during an extended surgery without logging back in. These boxes are networked as well, so an exploit seems wide open.”