FDA Advises on Cybersecurity Concerns in Annual Forum

By: Gabrielle Hirneise

June 16, 2021

Categories: AAMI News, HTM Professionals, Medical Device Manufacturers

 A key made up of 1s and 0s

As most information is stored and exchanged via our devices, cybersecurity is a growing concept of concern. Kevin Fu, acting director for medical device cybersecurity and program director for the DHCoE at the FDA, spoke to this topic at the 2021 FDA Science Forum, addressing recent headway the FDA has made in guiding cybersecurity regulations and overcoming recent challenges within the medical device landscape.

“The FDA has elected not to approve and not to clear medical device submissions on cybersecurity concerns alone,” Fu said. “The reason why, simply stated, is because cybersecurity is safety. It’s extremely difficult to have a safe and effective medical device if there are cybersecurity risks of clinical relevance.”

However, the FDA does not enforce stipulations alone—they also provide solutions and guidance. Over the last decade, the FDA has assembled documents, regulations, and educational materials for medical device manufacturers, encouraging them to provide built-in cybersecurity defenses in lieu of adding them as an afterthought.

“There are two primary documents available—a premarket guidance document finalized in 2004 and a second document finalized in 2016 called the post-market cybersecurity document, and that I would consider more of a social engagement document,” Fu said. “It talks about how medical device manufacturers and organizations can work together to share information about not only vulnerabilities in a medical device but actual incidents … such as ransomware ... and how to communicate that with stakeholders across the medical device ecosystem.”

In line with the constant evolution of cybersecurity, the release of a new draft of the premarket guidance is to be released later in 2021.

Amongst such guidance is a call for threat modeling, which would eliminate the uncertainty associated with taking on a new medical device.

“It’s very difficult to make scientific claims about cybersecurity if a manufacturer does not provide a reasonable and reputable threat model specific to the medical device,” Fu said.

Threat models do what their name implies: model what cybersecurity threats one can expect with a given device or software. This eliminates any speculative arguments as well as unforeseen risks.

“The main idea behind threat modeling and good cybersecurity science is to get away from judgment assessments, or just statements of belief, and move much more toward a verifiable security design control,” Fu added. “In my opinion, it’s impossible to make scientific claims of computer security without a reputable threat model.”

To further emphasize the importance of threat modeling, the FDA arranged boot camps, where those who perform threat modeling could educate others within the industry on how to do the same.

Amongst other forms of safeguards against cybersecurity threats, there is the International Medical Device Regulators Forum (IMDRF), which works to “harmonize different standards” between countries, as well as the Software Bill of Materials (SBOM), which ”is effectively an ingredient list of what third party software is inside” a given device.

The SBOM allows manufacturers to pinpoint which devices are at risk if a third-party software is compromised.

Although there are plenty of guidance documents for assessing cybersecurity threats amongst the various markets developing devices, the Joint Security Plan (JSP) serves to provide guidance on cybersecurity threats specific to medical devices.

However, Fu urged manufacturers to pay particular attention to the Cybersecurity Engineering Principles published by IEEE in 1975. The principles provide a framework for making devices secure and safe from cybersecurity attacks. 

Amongst the eight key principles, two stood out to Fu as the most important: the open design principle and the principle of least privilege.

“The open design principle, it’s extremely important to not depend on the ignorance of an attacker or what we call ‘security by obscurity’ where you just hope for the best.”

Because attackers have become clever, creative, and financially motivated, one should “assume the adversary knows everything about your system except, for instance, a small manageable cryptographic key that could be kept physically secure.”

For the second one, the Principle of Least Privilege (PQLP), is “the idea is that when you are creating a computer program, use the least number of privileges necessary to complete that function.”

This is based on the idea that attackers will inherit whatever privileges were encoded in the software. This will minimize the liberties they will have upon infiltrating the device.

Though much work has been done within the cybersecurity landscape, in the coming year Fu hopes to further integrate security principles via the CDRH Total Product Life Cycle, continue to educate stakeholders and industry members, and foster further collaborations across the federal government.