The FDA has published for comments a draft guidance that is intended to assist the health industry in identifying and addressing cybersecurity threats in medical devices. Indeed, medical devices are frequently used to collect patients’ vital signs. The information is then transferred to a database within the medical office or in the cloud, for further processing. For instance a diabetic patient may be equipped with a device that collects blood samples and sends the information to a cloud-based service that makes a diagnosis, determines the right dosage of a drug, and sets the time at which the dosage should be administered to the patient.
To complete this prowess, the medical device takes advantage of wireless, network, and Internet connections in order to exchange medical device-related health information collected from patients with a remote service or practitioner. The transmittal of patient information to remote computing facilities and their storage in a cloud can cause significant cybersecurity concern. The interception and unauthorized use, modification or deletion of critical patient information could have deadly consequences.
The draft guidance provides recommendations to consider and identifies documentation to be provided in FDA medical device premarket submissions in order to assure effective cybersecurity management and reduce the risk of compromise. Not surprisingly, the guidance recommends that engineers and manufacturers should develop security controls to maintain the confidentiality, integrity, and availability of the information collected from the patient and transmitted the medical cloud that allows the storage and processing of the information.
The draft guidance suggests the use of “cybersecurity by design”, a concept similar to that of “privacy by design,” to bake into the design of the medical devices and the equipment connected to these devices, the much-needed security features that could ensure more robust and efficient mitigation of cybersecurity risks.
The proposed guideline outlines the steps to be used for this purpose and stresses the importance of documenting the different steps taken:
- Conduct a risk analysis and develop a management plan as part of the risk analysis;
- Identify the assets at risk, the potential threats to these assets and the related vulnerabilities;
- Assess the impact of the threats and vulnerabilities on the device functionality;
- Assess the likelihood that a vulnerability might exploit;
- Determine the risk levels and suitable mitigation strategies;
- Assess residual risk, and define risk acceptance criteria.
As always, the issue is one of balance. Balancing the universe of threats against the probability of a security breach. Factors to be taken into account would include the type medical device, the environment in which it is used, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach. In addition, the guidance recommends that manufacturers should also carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use (e.g., home use vs. healthcare facility use) to ensure that the security capabilities are appropriate for the intended users.
The FDA draft guidance recommends that medical device manufacturers should be prepared to provide justification for the security features chosen and consider appropriate security controls for their medical devices including, but not limited to:
- Limit access to trusted users only;
- Ensure trusted content;
- Use fail-safe and recovery features.
The proposed guidance also identifies the type of documentation that should be developed in preparation for premarket submission filed with the FDA. This information includes:
- Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device;
- Traceability matrix that links the cybersecurity controls to the cybersecurity risks that were considered;
- Systematic plan for providing validated updates and patches to operating systems or medical device software;
- Documentation to demonstrate that the device will be provided to purchasers and users free of malware; and instructions for use and product specifications related to recommended antivirus software and/or firewall use appropriate for the environment of use.
The Draft Guidance is available at http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf