Security Misconfiguration is in the top 5 OWASP vulnerabilities and was the main vulnerability to which EyeCare and HearingCare Networks were subject. The two entities provide devices to aid people with sight and hearing dysfunction and fell victim of a hack in 2021. As the record goes, EyeCare and HearingCare suffered “unauthorised access to its data environment whereby someone removed and then deleted certain patient information”.
The data breach resulted in a class action that led to even more complications for the two entities. Because of incidents like these, the Food and Drug Administration decided to publish its own draft guidance to help companies operating in the healthcare industry improve their cyber security awareness and capability.
In this article, we will give an overview of this document and offer useful insight.
What is FDA Medical Device Security
The Food and Drug Administration (aka FDA) is the United States Government Agency in charge of regulating drugs, food, medical devices, cosmetics, tobacco and more. The FDA mission is to ensure that all the products manufactured and sold that fall under this umbrella are in compliance with its safety, efficacy and security standards.
In order to succeed in its mission, FDA creates and updates its regulatory standards, offering mandatory and cautionary guidance on all the subjects under its jurisdiction. The FDA regulations don’t necessarily influence only the technical qualities of products and manufacturers; in some cases, FDA rules on supply chain standards to counter-terrorism, for example, or to ensure sustainability and quality of products in commerce in the US.
In the matter of Medical Device Security, FDA has taken more and more responsibility in guiding medical machine manufacturers through the process of secure software design applied to medical devices.
In order to achieve this, FDA has developed a draft guidance on the Cyber Security standards that medical device developers should consider. This draft guidance is a best practice suggestion and is not in a final state; it is not legally binding and does not force nor give the right to any individual to act following its recommendations. It does, however, reflect “the current thinking of the Food and Drug Administration (FDA or Agency) on this topic”.
Thus, the reason why is important to be up to speed on this document is the fact that there is a significant chance that an upcoming regulation on this very subject will reflect the current approach.
In the following sections, we will detail the most salient key points of the FDA Cyber Security Guidance that you shouldn’t miss.
The FDA Medical Device Security Guidance Draft
The draft document audience is developers that envision to produce of medical devices that will require the following application submissions:
- Premarket Notification (510(k)) submissions;
- De Novo requests;
- Premarket Approval Applications (PMAs) and PMA supplements;
- Product Development Protocols (PDPs);
- Investigational Device Exemption (IDE) submissions; and
- Humanitarian Device Exemption (HDE) submissions
Depending on the devices you are about to submit for FDA approval, you might be required to apply for one or multiple of the above-mentioned.
The document’s objective is to ensure that the devices submitted for approval have a high standard of integrity, availability and confidentiality measures. Also, Authenticity, and timely updatability are features considered necessary for good device security.
The way the FDA envisions to evaluate whether the applicant has reached these set objectives, and the degree of effectiveness with which the same have been met, is to measure the following:
- the device’s intended use and indications for use;
- the presence and functionality of its electronic data interfaces;
- its intended and actual environment of use;
- the type of cybersecurity vulnerabilities present;
- the exploitability of the vulnerabilities; and
- the risk of patient harm due to vulnerability exploitation.
How to make use of FDA Medical Device Security Guidance Draft
The FDA Cyber Security Guidance can be a valuable tool to anticipate trends in cyber security and regulations.
There are several key points in the document that you can use to start improving your Medical Device security before these requirements are enforced.
One of the first steps you should take is to integrate Secure Product Development Framework (SPDF). An SPDF is, in essence, a set of processes that a device manufacturer can embed in its production line in order to ensure that the product is resilient from early stages to the most common security issues, and it also helps improve the security of future development.
For example, by designing a program or a device with an SPDF, you reduce the risk of redeveloping from scratch or investing a large sum of money when integrating the same product in the IOT environment.
Risk Management is the second step. When developing a device, you should make use of the known cyber risks related to the same technology that has been identified in the past to build a risk register that highlights the following:
- Threat Modelling
- Third Parties
- Known Unresolved Issues
- Security Risk Management Documentation
- Other industry-specific elements, such as Toxicity Characteristic Leaching Procedure (TCLP)
Once you have identified these risks, you should develop a Cyber Security Architecture that resolves all the aforementioned objectives; in particular, the Cyber Security Architecture should take into account the following controls:
- Authentication
- Authorisation
- Cryptography
- Code, Data, and Execution Integrity
- Confidentiality
- Event Detection and Logging
- Resiliency and Recovery
- Updatability and Patchability.
These controls should be addressed and in case you are preparing for an FDA submission, it is recommended that you present the controls implemented with the following approach:
- Global System View: A complete system view should be offered, showing as much as possible of the connection and the data flow the device is subject to.
- Multi-Patient Harm View: If the device can be connected to a network, you should highlight what are the chances that it could cause harm by interacting with other devices, as well as the risk of being compromised (or spreading a compromise) by interacting with other devices.
- Updateability/Patchability View: You should show how you are going to deliver timely and reliable security patches.
- Security Use Case View(s): Make sure to provide a good number of use cases that explore all the possible operational states of the device
Once you have built a solid Cyber Security Architecture System, you should focus on developing a Penetration Testing and Vulnerability assessment methodology that supports the Architecture and aims to test the applied patches to the known vulnerabilities.
The last piece of the puzzle is to create a Vulnerability Management plan that continuously keeps track of evolving threats and takes into account extreme scenarios such as disaster recovery.
Conclusions
Anticipating the trend can be risky but, when it comes to Cyber Security, the safest choice is actually being ahead of the curve. FDA is looking to increase the standard of Cyber Security in medical devices. You can rest assured that this will most likely result in a dedicated Cyber Security regulation soon. If you don’t want to be caught off guard, you can start preparing now by implementing a Secure Product Development Framework that embeds Risk and Vulnerability Management in the product life cycle, as well as Testing and Control Management that aims to address the set objectives, such as Authentication COntrol, Cryptography and more.