Medical Devices and Cybersecurity: A True Love Story
Do you worry about Internet hackers gaining access to your blood pressure monitor? Can they view your readings, or, worse, alter your readings to make you think all is fine, when it really is not? You may rest easier in knowing that manufacturers of medical devices are striving to meet the cybersecurity guidance set forth by the FDA.
Today’s medical devices are delicately interconnected to the internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase the risk of penetration into the networks from outside sources known as threat actors. Such medical devices are vulnerable to security breaches that can potentially greatly impact the safety and effectiveness of a device. Such threats and vulnerabilities cannot possibly be eradicated, thus reducing cybersecurity risks can be a challenge.
Mitigate Cybersecurity Risks
The FDA Cybersecurity guidance takes a holistic approach and is split into two parts – Premarket Submission and Postmarket Management. The Premarket Submission portion accounts for design time of the device and includes provisions for making devices more secure. The Postmarket Management addresses the device’s full lifecycle to monitor and update the product to meet an evolving cybersecurity environment.
The premarket guidance covers limiting access to trusted users – recommending individual user accounts, strong passwords, a layered approach, and physical access controls. Beyond access control, the need for secure data transfers both into and out of the application are a necessity. The guidance also points out that security beyond the daily use is needed such as having a means to assure the authenticity of patches and upgrades.
The guidance describes that prevention is not the only item needed for cybersecurity. The system should be designed in a means that allows the detection, response and recovery from threats and intrusions.
As part of the Premarket Submission, the FDA will be looking for a clear indication that cybersecurity was addressed by the inclusion of security-related requirements and features in key documents. The keystone to all FDA regulated products is the product’s Hazard analysis which should include all cybersecurity risks, justifications and controls. These risks should also be highlighted in a traceability matrix to demonstrate implementation. A summary describing the cybersecurity controls that are in place and the inclusion in the traceability matrix is expected by the FDA. Cybersecurity will also be a key point in the maintenance plan, or in a cybersecurity dedicated plan as part of the premarket submission package.
Cybersecurity is not something achievable as a one-time effort but is a continuous process. The postmarket guidance addresses the evolving environment through defining businesses process more than individual device-specific detail.
The postmarket guidance includes creating a cybersecurity risk management program by the manufacturer. The aim of the program is to identify, protect, detect, respond, and recover with respect to cybersecurity threats. The program will take input for numerous sources such as quality audits, corrective and preventative actions, customer complaints and an Information Sharing and Analysis Organization. An Information Sharing and Analysis Center or is a nonprofit organization that provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the private and public sector. The inputs are then formally managed through a risk analysis process with a focus on the impact to the patient safety.
The FDA recognized that cybersecurity is a responsibility of many parties from the designer, manufacturer, the healthcare facility and end users. RND Group has worked hand in hand with our clients to successfully implement the FDA Cybersecurity Guidance and introduce compliant medical devices to the marketplace. Since 1997, The RND Group has been applying the rigor required to designing, developing, documenting, and testing products in the evolving FDA regulated environment.