FDA Issues Cybersecurity Guidelines for Connected Medical Devices

Internet and Wirelessly Connected Medical Devices (“Devices”) are a cybersecurity concern of the Food and Drug Administration (FDA) as evidenced by guidance it issued in October 2014. The FDA Guidance does not have the force of law—but is highly influential in the medical device industry. Likely, failure of compliance will delay or prevent FDA approvals of such Devices.

FDA Guidance

The FDA Guidance focuses to Device cybersecurity risks of security breaches. It encourages manufacturers of such devices to identify the cybersecurity risks associated with the devices. Further, it develops means for detecting and responding to security compromises. FDA concerns include malware infections and related software security vulnerabilities in off-the-shelf software.

The FDA Guidance identifies cybersecurity related premarket submissions for the Devices that meet the definition of "medical device" and their usage. It recommends that device manufacturers provide as part of their premarket submissions:

• Hazard analysis, mitigation, and design considerations related to security risks associated with the medical device;
• Links between cybersecurity controls and risks associated with the medical device;
• Summary of the plan to provide validated software updates to the medical device throughout its lifecycle;
• Summary of the controls to ensure software integrity; and
• Instructions for use and product specifications related to cybersecurity controls.

The FDA Guidance encourages Device manufacturers to consider cybersecurity controls during Device design cycles. It particularly focuses to guarding against unauthorized users and limiting access to the Devices and associated data streams. For example, it encourages a layered model authorization and use privilege.

Additionally, the FDA Guidance encourages that hospitals and other health care facilities evaluate the security of their networks and implement ways to protect the hospital system. Also, it recommends avoiding well-known vulnerabilities.

Why is all this important?

Centers for Disease Control and Prevention (CDC) estimates of annual patient encounters:

• 35 million hospital discharges
• 100 million hospital outpatient visits
• 900 million physician office visits
• Billions of prescriptions.

Most of these encounters likely include a networked medical device—that is why the FDA is taking a proactive approach to the cybersecurity of internet connected medical devices.

Because the Devices contain computer systems that are often wirelessly connected with hospital and clinic legacy systems, often they are entry points into these legacy systems for cyber criminals.

Device Cybersecurity Noted in Executive Order 13636

The President, in Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” directed the National Institute of Standards and Technology (NIST) to develop the framework to “reduce cyber risk and help owners and operators of critical infrastructure identify, assess, and manage that risk.” Executive Order 13636 includes the Healthcare and Public Health [HPH] Critical Infrastructure Sector.

Thus, we are seeing the FDA now follow through with more detailed recommendations regarding carrying out Executive Order 13636 within the NIST Cybersecurity Framework (the “Framework”). Likely, we will see this cloth continued to be weaved by federal entities as well as collaboration among government, Device manufacturers, and healthcare providers.

Healthcare Provider Implementation Concerns

Hospitals, health systems and other health care organizations—while noting that their information systems have become more connected—have voiced implementation concerns. An example concern has been voiced be the American Hospital Association in its response to the FDA’s request for comments.