FDA Finalizes Cybersecurity Guidance

Posted October 1, 2014

Placing an emphasis on planning ahead, the U.S. Food and Drug Administration (FDA) is telling medical device manufacturers how to address cybersecurity vulnerabilities in their premarket submissions.

In a newly released guidance document, the agency says that its recommendations are intended to address such vulnerabilities as malware infections; the unsecured or uncontrolled distribution of passwords; failure to provide software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized access.

“Effective cybersecurity management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity,” reads the document.

To guard against vulnerabilities, the FDA urges manufacturers to consider cybersecurity during the design and development phase of the medical device. It also recommends manufacturers establish a cybersecurity vulnerability and management approach as part of their software validation and risk analysis. The approach should address the following elements:

  • An identification of assets, threats, and vulnerabilities
  • An assessment of the impact of vulnerabilities on device functionality and end users/patients
  • An assessment of the likelihood of a threat and a vulnerability being exploited
  • A determination of risk levels and mitigation strategies
  • An assessment of residual risk and risk acceptance criteria

The FDA also recommends that medical device manufacturers give justification in their premarket submissions for the security functions they choose for their products. Examples include limiting access to trusted users through such methods as authentication, strong password protection, and physical locks, and ensuring trusted content by restricting software or firmware updates to authenticated code.

“There is no such thing as a threat–proof medical device,” said Suzanne Schwartz, MD, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, in a prepared statement. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.” 

The document, which is dated Oct. 2, finalizes a draft version issued June 14, 2013 that drew comments from a number of organizations, including AAMI and AdvaMed, an association that represents medical device manufacturers.

In its comments to the draft, AAMI asked the agency to ensure that terms and definitions in the final guidance were consistent with those used by industry and standards developers. The final guidance includes a section that gives definitions for a number of terms, including harm and privileged user. It uses the definitions from ANSI/AAMI/ISO 14971:2007 Medical devices—Application of risk management to medical devices for these two terms.

The final guidance also adds a list of recognized consensus standards dealing with information technology and medical device security, including AAMI/ANSI/IEC, TIR 80001-2-2:2012—Application of risk management for IT Networks incorporating medical device—Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks, and controls. AdvaMed had called for this listing in its comments.

The release of the guidance comes in advance of  a public workshop, scheduled for Oct. 21 and 22, to discuss how government, medical device developers, hospitals, cybersecurity experts, and others can work together to enhance patient safety. Organized in partnership with the U.S. Department of Homeland Security, the workshop will focus on improving industry’s understanding of the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity,” released in February 2014.