Responding to US Homeland Security warning on cyber-attacks of medical devices, the FDA has issued a non-binding guidance document for manufacturers. The FDA acknowledges that device security is the joint responsibility of health care facilities, manufacturers, providers and patients.
Although manufacturers must focus on cyber security throughout design and development, the FDA recognizes that failure to maintain security will impact functionality, data integrity and connected devices and networks. Compromised devices put patient safety and well-being at risk.
When developing Medical Devices, makers should design for cyber security, assess vulnerability and analyze risk.
The guidance document recommends that manufacturers concentrate on these security functions: identify, protect, detect, respond and recover.
Identify: Connected devices are more vulnerable than non-connected devices. Security deployment depends on how the device is employed, electronic interfaces, operating environment, vulnerabilities, likelihood of exploitation and patient risk if breach occurs. Security control design should not impede usability in an emergency.
Protect using these security functions:
- Restrict access to trusted users using ID and password, biometrics and smart cards.
- Set up automatic session time out appropriate to use.
- Restrict privileges based on user or device roles and use multi-factor authenticating for administrators and service personnel.
- Avoid using the same password for other devices, passwords that are hard to change or at risk for public disclosure.
- Tamper proof with locks for devices and communication ports when possible.
- Restrict software updates of the operating system to authenticated users and authenticated code.
- Authorized personnel should follow systematic procedures when downloading manufacturer software.
- Ensure secure data transfer to and from the device.
Detect and Respond: Devise features that detect, recognize, log, time and react to security compromises. Instruct end-user on post-breach response.
Recover: Design features to protect critical device functions despite compromised security and make sure authorized used are experienced in retention and recovery of device configuration.
The FDA encourages manufacturers to provide the following information in their pre-market documentation:
FDA recommendations for pre-market documentation include listing the cyber security risks examined, listing and defending device security controls and tying controls to risks using a matrix format. Manufacturers should summarize how they will provide software updates for continuing safety and efficacy of the device during life cycle. They should document device integrity beginning to end of production and provide instructions and recommendations for anti-virus software and firewalls.