Understanding Medical Device Cybersecurity & the FDA’s Role

Medical devices hanging on wall

Medical Device – Cybersecurity – Overview

Per the FDA’s definition, a medical device is an instrument, apparatus, implement, machine, contrivance, implant, in-vitro reagent, or another similar or related article, including a part or accessory planned for use in the identification of a disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease. Advancements in the healthcare industry have increased the use of wireless, cloud, internet of things (IoT) connected devices, medical devices, and the frequent electronic exchange of medical-device-related health information. The increased connectivity to existing computer networks has exposed medical devices to cybersecurity vulnerabilities from which they were previously shielded. Failure to maintain cybersecurity controls can result in compromised device functionality, data loss (medical or personal), data availability or integrity issues, or exposure of other connected devices to advanced persistent threats (APTs). Cybersecurity controls gaps may result in patient illness, injury, or death. Apart from physical harm to a patient, medical devices are targeted to perform the following frauds:

  • Medicare Fraud: Submit false insurance claims from fictitious healthcare providers
  • Medical Identity Theft: Falsify IDs to seek medical care under the identity of another person
  • Prescription Drugs: Leverage a legitimate prescription to obtain controlled substances for resale in illegal drug markets
  • Black Market Exchange: Leverage networks to sell records to other parties in exchange for anonymous digital currency

Cybersecurity threats are rapidly evolving as interest in healthcare grows. Market forces have connected medical devices to PCs, smartphones, and the cloud. This creates new threat vectors and the opportunity to hack medical devices connected to patients over the internet. Medical Devices are becoming more of a target for hackers due to two factors:

  • Network-enabled medical devices are being introduced, opening novel attack opportunities
  • Older devices still exist and are poorly managed

Medical device companies face a large variety of cyber-threats, which vary in sophistication and include:

  • Disruption of Service
  • Malware
  • Insider Threat
  • Theft and/or Loss of Assets
  • Unintentional Exposure of Data
  • Web Application Attacks (SQLi, DDos, XXS)

These attacks are possible due to the inadequate cybersecurity practices and governance across the life cycle of most medical devices, including:

  • Poor Coding
  • Insecure Data Transfer
  • Weak Access Controls
  • Insufficient Monitoring Processes
  • Delayed Maintenance and Update of Process
  • Minimal Cross Team and Cross Organization Communication

FDA’s Role in Medical Device Cybersecurity

As we have become more dependent on connected medical devices and with the rise of cyber incidents involving connected medical devices, the FDA has issued Pre and Post Market guidance to assist the industry in identifying cybersecurity issues. The guidance is designed and structured to help manufacturers implement controls throughout the product life cycle, including during the design, development, production, distribution, deployment, and maintenance phase. As per FDA guidance, “medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices.”[1] Medical device manufacturers must abide by federal regulations and guidance. A portion of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address all risks, including cybersecurity risks. The pre-and post-market cybersecurity guidance provides recommendations for meeting QSRs.

Note – The FDA issued a proposed rule to amend the medical device Quality System Regulation (QSR) on February 23, 2022. The FDA focuses on incorporating and aligning the International Organization for Standardization – ISO-13485 to transform and standardize its medical device regulations. The FDA accepts comments on the proposed rule (Docket No. FDA-2021-N-0507) through May 24, 2022.

FDA Pre-Market Guidance

The FDA Premarket Guidance states:

This guidance provides recommendations for FDA medical device premarket submissions for effective cybersecurity management. Effective cybersecurity management will help reduce the risk to patients by decreasing the likelihood that device functionality is compromised. These recommendations assist manufacturers with premarket submissions for devices that contain software (including firmware) or configurable logic and/or software that is a medical device.

Manufacturers should establish design inputs for their devices related to cybersecurity and show a cybersecurity risk and controls management approach as part of the software validation and risk analysis required by 21 CFR 820.30 (Design Controls of the Quality System Regulation).

The method should adequately address the following parts:

  • Identification of technology components, risks, APTs, and weaknesses
  • Assessment of the impact of APTs and vulnerabilities on device functionality and end users/patients
  • Evaluation of the likelihood of a threat and an exposure manipulated
  • Determination of risk levels, controls, and suitable mitigation approaches
  • Assessment of enduring risk and risk acceptance criteria

The premarket submission requires manufacturers to provide the following information related to the cybersecurity of their medical devices:

  • Hazard analysis, mitigations, and design considerations on intentional and unintentional cybersecurity risks associated with medical devices
  • A traceability matrix that links actual cybersecurity controls to the cybersecurity risks
  • A summary describing the course of action for delivering validated software updates and patches as needed throughout the product lifecycle of the medical device
  • A synopsis describing cybersecurity controls that are in place to reassure that the medical device software will sustain its integrity from the point of origin to the end at which that device leaves the control of the manufacturer
  • Device instructions for use and product specifications to recommended cybersecurity controls for the intended use environment (e.g., anti-virus software, use of firewall)

Note on New Pre-Market Guidance

On April 08, 2022, the FDA issued new draft guidance replacing the 2018 version. The latest version contains new recommendations for premarket submission content to address medical device cybersecurity concerns. The focus of the new direction is to underline the importance of ensuring that medical devices are designed securely with security controls embedded throughout the entire Product Life Cycle. Some significant changes within the 49-page draft are the requirement for a Software Bill of Materials or SBOMs, Threat Modeling requirements, and Vulnerability Management plans.

This draft guidance will be accessible for public comments for 90 days under docket number FDA-2021-D-1158. We will be publishing an article taking a deep dive into the 49-page new draft guidance in the upcoming weeks.

FDA Post-Market Guidance

Due to continually evolving cybersecurity risks to medical devices, it is impossible to mitigate risks entirely. Therefore, manufacturers must implement a comprehensive cybersecurity risk management program covering the FDA-recommended critical components. FDA recommends the following essential elements of such a post-market cybersecurity program:

  • Examining cybersecurity information sources for identification and detection of cybersecurity risks and vulnerabilities
  • Maintaining robust software lifecycle processes that include monitoring third-party software elements for new vulnerabilities throughout the medical device’s life span
  • Design certification and validation for software updates and patches to remediate vulnerabilities, including those related to Off-the-shelf software
  • Understanding, assessing, and detecting the existence and effect of new and existing threats and vulnerabilities
  • Forming and conveying processes for threat and vulnerability intake and managing
  • Using threat modeling to plainly define how to maintain the safety and critical performance of a medical device by creating mitigating controls that protect, respond, and recuperate from the APT
  • Implementing a coordinated vulnerability disclosure policy and practice
  • Implementing mitigations that address cybersecurity risk early and before exploitation

To implement a robust cybersecurity risk management program, the FDA recommends manufacturers incorporate elements consistent with the established NIST Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover).

Challenges & Opportunities in Medical Device Cybersecurity

As medical devices become further interconnected and data-driven, they can improve the care patients receive and create efficiencies in the health care system. With technology innovation comes new risks and controls challenges. The medical device industry faces cybersecurity issues unique to the servicing of medical devices. Some potential challenges and opportunities in 2022 for medical device cybersecurity are:

  • Bringing together Information Technology (IT) and Clinical Engineering (CE)
    • IT knows systems and cybersecurity, while CE knows medical devices and devices’ regulatory/compliance needs. Close coordination between these groups is key to implementing an effective technology risk and controls strategy.
  • Connected VS Non-Connected Devices
    • Devices connected to the internal network or the internet have different security control requirements. Understanding how the device is network-enabled will help you develop and implement adequate security controls.
  • Most devices do not run protective software (anti-malware) so protecting connected devices is critical with an effective Network Security Strategy. Implementing security controls via network segmentation, whitelisting, network monitoring, firewalls, etc., is essential to protect devices and patients.
  • Hardware & Software Bill of Materials
    • Understanding all third-party and in-house hardware and software components within a medical device is crucial. Having an accurate inventory of both is step one in designing and implementing proper security controls within medical devices.
  • Access Controls
    • Understanding how to manage access to connected and non-connected devices. A strong focus on implementing modern identity and access management techniques like single sign-on and two-factor authentication
  • Vulnerability & Patch Management
    • Understanding how to identify and remediate static and open-source vulnerability within your connected device. Implementing a patch process that continuously remediates known vulnerabilities, defects, and bugs while pushing out device enhancements as needed.

As the world of medical devices evolves to treat better and monitor patient health, cybersecurity remains a top priority. As per FDA guidance, “medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices.”

Quandary Peak Research has on staff industry-leading Health IT, cybersecurity, and software engineering experts equipped and prepared to help stakeholders, health care facilities, providers, and manufacturers address the cybersecurity responsibilities shared amongst all on the Internet of Medical Things (IoMT) ecosystem.

Footnotes
  1. Welcome to today’s FDA/CDRH Webinar

    fda.gov ]
This article is authored by
Juan M. Vasquez - Director of Information Security & Audit Services
Juan M. Vasquez, CISM, CISA

Juan has over 10 years of experience in Information Security, Cybersecurity, Information Technology, Operational Technology, IT Audit, and IT Risk & Controls. He has 16 years of military service and continues to serve as an IT Operations Manager and Exercise Planner in the US Marine Corps Reserve.