In a set of guidelines finalized on Wednesday titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” the FDA has made recommendations to medical device manufacturers on managing security risks and best protecting patient health and data.
Considerations include limiting access to devices through authentication, using appropriate authentication such as multi-factor authentication, requiring user authentication or other controls for updating software and firmware, and avoiding “hardcoded” passwords or common words and limiting public access to passwords used for privileged device access, according to the guidelines.
Devices should differentiate privileges based on the user role or device role, use automated timed methods to terminate sessions within the system, and ensure secure data transfer to and from the device possibly through encryption, the guidelines indicate. Additionally, physical locks should be used on devices and communication ports to minimize the chances of tampering.
Furthermore, features should be implemented so security compromises can be detected, logged, timed and acted upon during normal use, and other features should protect critical functionality during a compromise, according to the guidelines. Information should be made available to users regarding actions to take during a compromise and for retention and recovery of device configurations.
The FDA suggests that manufacturers justify these chosen security functions in their premarket submissions.
“Specifics will be forthcoming, but it seems likely that they'll somehow overlay the extra development steps on any device which has a network interface at a minimum, and possibly can be accessed via other interfaces like USB and others – basically devices that represent a potential digital attack vector,” Cameron Camp, a security researcher at ESET, told SCMagazine.com in a Thursday email correspondence.
The underlying idea in these guidelines is to address security during design and development – not doing so could result in compromised device functionality, loss of medical or personal data availability or integrity, or exposure of other connected devices or networks to security threats, according to the guidelines.