Essential Guide

Guide to healthcare compliance resources and agencies

A comprehensive collection of articles, videos and more, hand-picked by our editors
Manage Learn to apply best practices and optimize your operations.

Understanding FDA guidance on medical device cybersecurity

Medical device security is a growing concern. Expert Mike Villegas shares how to make sense of the new FDA cybersecurity guidelines for medical device manufacturers.

On Oct. 24, 2014, Reuters reported the U.S. Department of Homeland Security is investigating about two dozen cases...

of suspected cybersecurity flaws in medical devices and hospital equipment that officials fear could be exploited by hackers. These include an infusion pump and implantable heart devices. Not only is this a danger to human life, which is the most critical risk, but also it undermines the integrity and safety of these devices.

The FDA issued Content of Premarket Submissions for Management of Cybersecurity in Medical Devices on Oct. 2, 2014, that provides guidance for medical device manufacturers on cybersecurity functions to strengthen the security of such devices from hacker exploitation. The guidance stresses that these are strictly recommendations and not requirements, but in reviewing the functions, they appear sound and practical for any medical device manufacturer and its networks.

There are two types of premarket submissions:

A balance between ease of access and strong cybersecurity controls needs to be in place.
  • A premarket notification, or 510(k), is submitted to the FDA before a manufacturer proposes to market a medical device.
  • A premarket approval (PMA) is the FDA process of scientific and regulatory review to evaluate the safety and effectiveness of Class III medical devices. Under federal law, Class III devices are subject to approval of a Premarket Approval Application. Class III devices are those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury.

The FDA classifies medical devices into three classes:

  • Class I devices are subject only to general controls. They typically present the lowest potential for harm. Examples of Class I devices include elastic bandages, examination gloves and hand-held surgical instruments.
  • Class II devices are those for which general controls alone are insufficient to provide a reasonable assurance of safety and effectiveness. Examples of Class II devices include powered wheelchairs, infusion pumps and surgical drapes.
  • Class III devices are those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury. Examples of Class III devices include replacement heart valves, silicone gel-filled breast implants and implanted cerebellar stimulators.

What does this mean for manufacturers and hospitals? It means that, especially for Class III life support and life-threatening medical devices, the cybersecurity controls listed should at a minimum be deployed.

Manufacturers

Manufacturers need to ensure these devices have a 501(k) or PMA approval depending on its classification. Class III devices must be designed with strict security measures for identification, authentication, monitoring, authorization and integrity checks to ensure a stratagem of controls for surreptitious attacks. Security and failure-free devices are not absolute, but the goal is to maximize fault tolerance and cybersecurity. In particular, manufacturers should focus on medical devices that connect via wireless or hard-wire to another device, to the Internet, other networks, or to portable media such as a USB or CD. These are the most vulnerable to cybersecurity threats.

A point emphasized in the FDA guidance is that security controls should not unreasonably hinder access to a device, especially in an emergency situation. This means a balance between ease-of-access and strong cybersecurity controls needs to be in place.

Hospitals

Hospitals and other medical service centers need to ensure devices purchased provide documented assertions that they have undergone strict empirical cybersecurity testing and possibly independent review. Without these assertions, medical organizations should rethink whether they should purchase these devices or consider another vendor option.

After deciding on a short list of medical devices to choose from, hospitals need to take a pragmatic view of cybersecurity before making the final selection. They should ask the following: Does this device…

  • Have a current and approved PMA issued by the FDA?
  • Require user authentication such as ID and password, smartcard or biometrics, such as fingerprint scanning?
  • Have a session timeout feature after a predetermined period of time?
  • Use role-based access controls to grant privilege levels such as caregiver, physician or system administrator?
  • Use strong encryption such as WPA-2 for wireless connections?
  • Provide multifactor authentication to permit privileged device access?
  • Use strong password syntax rules to mitigate the risk of being compromised? For example, minimum password length, alphanumeric, passwords different on each device, encryption, etc.
  • Provide physical locks for the device itself and any communication ports to minimize tampering?
  • Provide current antimalware/antivirus software for protection during external connectivity including software or firmware updates?

This guidance, in addition to recommended cybersecurity controls for medical devices, also refers to other guidance documents related to Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices and Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.

Conclusion

The FDA defines the "Level of Concern" as an estimate of the severity of injury that a device could permit or inflict, either directly or indirectly, on a patient or operator as a result of device failures, design flaws, or simply by virtue of employing the device for its intended use. Strict review of Class III devices is critical. Ensure all classes, in particular Class III, have a 501(k) or PMA approval. Protection acumen for these devices can never be overstated.

About the author:
Miguel (Mike) O. Villegas is Vice President for K3DES LLC, a payment and technology-consulting firm. Mike has been a CISO for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.

Next Steps

Check out the top ten ways to improve medical device security

The most popular mobile healthcare apps offer ubiquity and security

This was last published in February 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What does your organization do to ensure security of mobile devices?
Cancel
For maximum security on mobile devices, it's important to remember several things. Firstly, make sure the user is using strong passwords to unlock the phone. Secondly, make sure they are encrypting their drive, so that no one can steal its data. Additionally using VPNs and anti-virus are a strong line of defense for the casual user who is not accessing internal servers and sensitive data.
Cancel
I agree. Good points.  Thank you for sharing. it adds to the article nicely.
Cancel
Very little, until recently. I suspect it more a case of not being ready for the explosion of mobile devices once BYOD opened the floodgates. For example, we use encryption for wireless connections, but did not even require a screen lock for mobile devices. Recent changes in our security posture now at least require mobile devices to be locked with a password meeting minimum strength requirements. I expect more changes to come into play as we continue to secure not only our network, but all of the devices that we connect to that network and work with.
Cancel
Manufacturers should ensure their devices have an approval for the 501(k) or PMA. Security measures should be high especially in Class 111 to control attacks.
Cancel
Merry495, that is correct. Thank you for clarifying my point.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close