The Food and Drug Administration has published new recommendations for both manufacturers and regulators on how to deal with security for medical devices, including implantable devices. Calling device security a shared responsibility, the FDA guidance focuses on the postmarket cybersecurity issues, such as vulnerability response and remediation.
The new document is not a set of regulations, but is simply guidance designed to give manufacturers and regulators a framework for medical device security issues. This topic has become a major concern in the last few years as manufacturers have added networking and other capabilities to more and more medical devices such as insulin pumps and pacemakers.
“Cybersecurity risk management is a shared responsibility among stakeholders including the medical device manufacturer, the user, the Information Technology (IT) system integrator, Health IT developers, and an array of IT vendors that provide products that are not regulated by the FDA. FDA seeks to encourage collaboration among stakeholders by clarifying, for those stakeholders it regulates, recommendations associated with mitigating cybersecurity threats to device functionality and device users,” the guidance says.
“Estimating the probability of a cybersecurity exploit is very difficult.”
A large portion of the FDA guidance concerns the ways in which manufacturers assess the potential exploitability of a given vulnerability and how they respond to vulnerability reports. There are well-defined processes for this kind of assessment in the normal software and hardware worlds. But medical devices are a much different story, given their dedicated purposes and the potential consequences if a vulnerability is exploited.
“In many cases, estimating the probability of a cybersecurity exploit is very difficult due to factors such as; complexity of exploitation, availability of exploits, and exploit toolkits. In the absence of data on the probability of the occurrence of harm, conventional medical device risk management approaches suggest using a “reasonable worst-case estimate” or setting the default value of the probability to one. While these approaches are acceptable, FDA suggests that manufacturers instead consider using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency of the response,” the FDA guidance says.
In the new document, the FDA also wades into the murky waters of vulnerability disclosure. While not setting any hard and fast rules, the guidance suggests that, in cases where is serious risk of patient harm, manufacturers disclose vulnerabilities to customers as quickly as possible, but not later than 30 days after discovery. The guidance goes on to recommend that manufacturers fix new bugs within 60 days in those cases.
FDA officials echoed the advice that software security experts have been giving vendors for decades: Make security part of the design, development, and manufacturing process from the beginning.
“The best way to combat these threats is for manufacturers to consider cybersecurity throughout the total product lifecycle of a device. In other words, manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients,” Dr. Suzanne B. Schwartz, associate director for science and strategic partnerships at the FDA, said in a blog post on the new guidance.