Previously in 2014, the FDA has published a final guidance discussing premarket expectations but the constant technology advancements and changes requires a new guidance.
As a result, on October 18, 2018, the FDA published a draft guidance about cybersecurity and it is currently the most updated cybersecurity guidance.
The use of internet-connected devices have been very convenient in the field of healthcare but it also has created many potential cybersecurity risks. In 2015, there were more stolen data than the combined total of six years prior to 2015; about 113 million records were impacted in that year. As time passes, healthcare systems are becoming more concerned with cybersecurity and many are investing more funds into cybersecurity.
Why is healthcare impacted by cybersecurity?
-Use of internet-connected devices
-Increased use of wireless devices
-Portable media (USB or CD’s)
-Frequent transfer of medical-device related information over the internet
It is the manufacturer’s duty to protect their medical devices from possible cybersecurity problems or breaches in order to provide safe usage for the patients.
The goal of the new guidance (published October 18, 2018)
The new drafted guidance in 2018 is intended to support the manufacturers to:
1) employ a risk-based approach to the design and development of medical devices with appropriate cybersecurity protections
2) take a holistic approach to device cybersecurity by assessing risks and mitigations throughout the product’s lifecycle
3) ensure maintenance and continuity of critical device safety and essential performance
4) promote the development of trustworthy devices to help ensure the continued safety and effectiveness of the devices.
Classification of cybersecurity risks
The new guidance classifies cybersecurity risks into two “tiers”.
Tier 1: “Higher Cybersecurity Risk”
-The device can connect (wirelessly, or wired) to another medical device or medical product, network, or the Internet
-A cybersecurity incident will result in harming a patient.
*Some examples of these devices are:
Implantable cardioverter defibrillators (ICDs)
Left ventricular assist devices (LVADs)
Brain stimulators and neurostimulators
Infusion and insulin pumps
Tier 2: “Standard Cybersecurity Risk”
-Any device that is not defined by the Tier 1 definition.
-Prevent unauthorized use
-Limit access to trusted users & devices only
-Authenticate and check authorization of safety-critical commands
-Ensure trusted content by maintaining code, data, and execution integrity
-Maintain confidentiality of data
The FDA recommended some elements that manufacturers should include when developing and designing their medical devices:
-identification of assets, threats, and vulnerabilities
-assessment of the impact of threats and vulnerabilities on device functionality and end users/patients
-assessment of the likelihood of a threat and of a vulnerability being exploited
-determination of risk levels and suitable mitigation strategies
-assessment of residual risk and risk acceptance criteria.
Design documentation: documentation that demonstrates that the device is trustworthy.
Risk management documentation: documentation that considers both security and safety risks.
The more detailed information about these documentation is available on pages 21-24 here
FDA’s recommendations about security information labeling.
1. Device instructions and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-virus software, use of a firewall).
2. A description of the device features that protect critical functionality, even when the device’s cybersecurity has been compromised.
3. A description of backup and restore features and procedures to regain configurations.
4. Specific guidance to users regarding supporting infrastructure requirements so that the device can operate as intended
5. A description of how the device is or can be hardened using secure configuration. Secure configurations may include end point protections such as anti-malware, firewall/firewall rules, whitelisting, security event parameters, logging parameters, physical security detection.
6. A list of network ports and other interfaces that are expected to receive and/or send data, and a description of port functionality and whether the ports are incoming or outgoing (note that unused ports should be disabled).
7. A description of systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer
8. A description of how the design enables the device to announce when anomalous conditions are detected (i.e., security events). Security event types could be configuration changes, network anomalies, login attempts, anomalous traffic (e.g., send requests to unknown entities).
9. A description of how forensic evidence is captured, including but not limited to any log files kept for a security event. Log files descriptions should include how and where the log file is located, stored, recycled, archived, and how it could be consumed by automated analysis software (e.g., Intrusion Detection System, IDS).
10.A description of the methods for retention and recovery of device configuration by an authenticated privileged user.
11. Sufficiently detailed system diagrams for end-users.
12. A CBOM including but not limited to a list of commercial, open source, and off-the-shelf software and hardware components to enable device users (including patients, providers, and healthcare delivery organizations (HDOs)) to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device’s essential performance.
13. Where appropriate, technical instructions to permit secure network (connected) deployment and servicing, and instructions for users on how to respond upon detection of a cybersecurity vulnerability or incident.
14. Information, if known, concerning device cybersecurity end of support. At the end of support, a manufacturer may no longer be able to reasonably provide security patches or software updates. If the device remains in service following the end of support, the cybersecurity risks for end-users can be expected to increase over time.
*These definitions are provided by the FDA.
Asset – anything that has value to an individual or an organization.
Authentication – the act of verifying the identity of a user, process, or device as a prerequisite to allowing access to the device, its data, information, or systems.
Authenticity – the property of being genuine and being able to be verified and trusted;confidence that the contents of a message originates from the expected party and has not been modified during transmission or storage.
Authorization – the right or a permission that is granted to access a device resource.
Availability – the property of data, information, and information systems to be accessible and usable on a timely basis in the expected manner (i.e. the assurance that information will be available when needed).
Confidentiality – the property of data, information, or system structures to be accessible only to authorized persons and entities and are processed at authorized times and in the authorized manner, thereby helping ensure data and system security. Confidentiality provides the assurance that no unauthorized users (i.e., only trusted users) have access to the data, information, or system structures.
Configuration – the possible conditions, parameters, and specifications with which a device or system component can be described or arranged.
Cryptographically strong – cryptographic algorithms, protocols and implementations that authoritative sources in cryptography would consider sufficiently secure.
Cybersecurity – is the process of preventing unauthorized access, modification, misuse or denial of use, or unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.
Cybersecurity Bill of Materials (CBOM) – a list that includes but is not limited to commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities.
Denial of Service – actions that prevent the system from functioning in accordance with its intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a degraded state; operations that depend on timeliness may be delayed.
Encryption –the cryptographic transformation of data into a form that conceals the data’s original meaning to prevent it from being known or used.
End of support – a point beyond which the product manufacturer ceases to provide support, which may include cybersecurity support, for a product or service.
Integrity – the property of data, information and software to be accurate and complete and have 186 not been improperly modified.
Jitter – as it relates to queuing, the difference in latency of packets.
Life-cycle – all phases in the life of a medical device, from initial conception to final decommissioning and disposal.
Malware – software designed with malicious intent to disrupt normal function, gather sensitive 194 information, and/or access other connected systems.
Patchability/Updatability – the ease with which a device and related systems can be updated and patched in a timely manner.
Patient harm – is defined as physical injury or damage to the health of patients, including death.
Cybersecurity exploits (e.g. loss of authenticity, availability, integrity, or confidentiality) of a device may pose a risk to health and may result in patient harm.
Privileged User – a user who is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
Quality of Service – the measurable end-to-end performance properties of a network service, which can be guaranteed in advance by a Service Level Agreement between an end-user and a service provider, so as to satisfy specific customer application requirements.
Risk – the combination of the probability of occurrence of harm and the severity of that harm.
Risk Analysis – the systematic use of available information to identify hazards and to estimate the risk.
Trustworthy Device –a medical device containing hardware, software, and/or programmable logic that: (1) is reasonably secure from cybersecurity intrusion and misuse; (2) provides a reasonable level of availability, reliability, and correct operation; (3) is reasonably suited to performing its intended functions; and (4) adheres to generally accepted security procedures.
The full guidance can be viewed here.
RegDesk™ provides the most up-to-date regulatory information around the world. Our main goal is to satisfy our customers’ needs and we excel in providing the need of our clients in the most effective and efficient method. By being our client, you will have the opportunity to access the real-time regulatory data and updates in more than 100 countries. Talk to a member of our team today to learn about how our platform can greatly contribute to your business growth.