A Closer Look at New FDA Cybersecurity Guidance for Medical Devices

I recently uncovered an interesting statistic from CMO.com that says: “…Right now, most IoT smart devices aren’t in your home or phone; they are in factories, businesses, and health care…”  IoT stands for Internet-of-Things and is a way to categorize devices that are networked together over the Internet.  This statistic which comes from an Intel info graphic hit the mark, especially with health care.  Networked medical devices have been around for years now and their usage is increasing.  The threat to them is also increasing.  In fiction, a hacker on Homeland assassinated the fictional vice president of the United States by hacking his pacemaker.  While that was television, the threat is real.  In 2012, a researcher was able to adjust the dosage of insulin by reprogramming an insulin pump and delivered a fatal dose.   Upon reading this and other articles, it came as no surprise that the US food and Drug Administration has decided to do something about it.

The US FDA recently issued draft guidance for medical device manufacturers to address cybersecurity risks associated with such devices.  Although the guidelines are still in draft, threats to medical devices are growing and can potentially put the public’s health at risk.   It is important to note that the draft guidance is not a response to any particular specific threat; however, cybersecurity companies have shown how vulnerable networked medical devices can be.  The FDA also encourages medical device manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.

What Does it Mean for Your Organization?

If you are a medical device manufacturer, the FDA is making post-market recommendations to monitor, identify and address cybersecurity vulnerabilities and exploits as part of your post-market management activities of these devices.   Your organization should proactively plan for and assess cybersecurity vulnerabilities.  Additionally, the guidance recommends you share information via the Information Sharing Analysis Organization (ISAO), which is a collaborative group of public and private sector entities that share cybersecurity intelligence.  By sharing information, members of the ISAO can quickly identify risks that may not have been visible in the past.

The draft guidance is also recommending manufacturers align themselves with a risk management program and adopt the 2014 NIST Cybersecurity Framework as the standard to measure security maturity against.  A risk management program will help your organization manage the risks associated with vulnerabilities and exploits identified in the devices.  Manufacturers can be proactive, as the risk management program will ensure there is a vulnerability management program in place to handle and mitigate discovered vulnerabilities.

The draft guidance explains that for a small subset of cybersecurity vulnerabilities and exploits that may compromise a device and present a reasonable probability of serious adverse health consequences or death, the FDA requires manufacturers to notify the agency under 21 CFR 806.10.  What this means is that the manufacturer has 10-working days to notify the FDA in writing of any correction  (e.g. repair, modification, adjustment, relabeling) or removal of a device.  In other circumstances, the vulnerabilities may not present a reasonable probability of death, and the manufacturer is not required to notify the FDA under 21 CFR 806.10.  The draft guidance identifies this as cybersecurity routine updates or patches, and as such, should increase device security and/or remediate vulnerabilities associated with controlled risk.

How Can CyberSheath Help Your Organization?

CyberSheath recommends beginning with an assessment to measure your maturity against the 2014 NIST Cybersecurity Framework.  An assessment will identify gaps in coverage for the security controls.  By starting now, it puts your organization ahead of the curve for when the final FDA guidance drops, leaving your competition to play catch up.