FDA Scrutinizes Networked Medical Device Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Security & Privacy
Commentary
12/1/2014
08:36 AM
100%
0%

FDA Scrutinizes Networked Medical Device Security

Federal agencies are trying to address threats to the privacy and security of people using connected medical devices.

7 Important Tech Regulatory Issues In 2015
7 Important Tech Regulatory Issues In 2015
(Click image for larger view and slideshow.)

Networked medical devices are an important part of the current and future healthcare landscape, allowing for diagnostic analysis and therapeutic treatment options that are integral to our healthcare system.

When a technology becomes fundamental to healthcare, the measures protecting it and its users merit thoughtful analysis and oversight. Recognizing this, federal agencies are now publicly acknowledging and seeking to address the potential threat to the privacy of personal medical information and to patients relying on networked medical devices for diagnosis and treatment.

"Medical devices that contain computer hardware or software or that connect to computer networks are subject to the same types of cyber vulnerabilities as consumer devices," Suzanne Schwartz, director of emergency preparedness and medical countermeasures at the Center for Devices and Radiological Health of the US Food and Drug Administration (FDA), wrote in a blog post. "Strengthening the cyber security of medical devices requires collaboration and coordination among many stakeholders."

To help address these realities, the FDA is working with the Department of Homeland Security (DHS), medical device manufacturers, and healthcare professionals to identify and address the vulnerabilities of medical devices in our healthcare system. Though the FDA has not publically named the specific devices of highest concern, previous public reports have linked known vulnerabilities in certain infusion pumps and implantable pacemakers to potentially deadly outcomes from intentional corruption by malicious actors. In at least one instance, a cyber security expert has demonstrated his ability to override the limited safety precautions protecting multiple wireless-enabled pacemakers and command the hacked devices to deliver a potentially deadly 830-volt shock from a laptop up to 50 feet away.

(Image: Davide Restivo/Flickr)
(Image: Davide Restivo/Flickr)

[For more on the security of medical devices, see DHS Investigates Dozens Of Medical Device Cybersecurity Flaws.]

Though the FDA acknowledges that device manufacturers play a primary role in protecting their own products, the agency is ratcheting up oversight of the protection methods selected and how they are implemented. On Oct. 2, it finalized guidance on how device manufacturers should consider cyber security risks as part of the design and development process.

Its guidance emphasizes that medical devices capable of connecting to another device, the Internet or other networks, or portable media are at an increased risk for compromised functionality due to cyber security threats. Vulnerabilities in the security of such devices may arise during initial device development, as well as during the course of normal design updates. To address these vulnerabilities, the FDA recommends that manufacturers take extra precautions to address cyber security threats and document those precautions in all relevant new premarket submissions, including 510(k)s, de novo, and premarket approvals (PMAs).

To protect networked devices, the FDA recommends that manufacturers consider controls such as limiting access to devices via authentication features, using layered authorization models based on specific user needs, and implementing methods for retention and recovery of device configuration by authenticated users. For purposes of documentation, manufacturers should provide a formal hazard analysis of the risks associated with the device, as well a description of the plan for how identified and unidentified cyber security risks have and will be addressed. Failure to heed the recommendations on the implementation of appropriate controls or documentation of those controls could result in delayed or even denied premarket submission reviews.

The non-binding recommendations will help provide more direction in this area, particularly for small manufacturers that may not have access to dedicated cyber security experts. And even the best-prepared manufacturers can benefit from the documentation suggestions the guidance provides. By outlining cyber security premarket submission content recommendations, the FDA could lay the groundwork for a new category of de facto required information that will be needed for the agency to adequately review premarket submissions for connected devices.

The FDA recommendations would appear appropriate for many class III networked devices -- such as implantable pacemakers -- that support or sustain human life. However, for class I and II devices -- particularly those that may not be fully networked but are capable of connecting to portable media such as USB devices and CDs -- the recommendations may be overly prescriptive. Though the FDA acknowledges that manufacturers should carefully consider the balance between cyber security safeguards and the device's usability, there is considerable expectation that the agency will weigh more heavily the desire for strong security measures taken by a manufacturer than the cost those measures have on device usability and functionality. Manufacturers may be asked to walk a fine line in following the recommendations while still providing customers the software access and flexibility they want and need.

Given the federal government's increased concern about cyber security in general, device manufacturers are well advised to closely evaluate the security processes they are applying to the design of their products. That includes, at a minimum, identifying and addressing the cyber security risks of the devices they manufacture and documenting the steps the manufacturer has taken to implement appropriate risk-mitigation measures.

How the cloud, virtualization, mobility, and other network-altering trends impact security -- and the IT pros responsible for infrastructure protection. Get the Network Security Career Guide issue of Network Computing today.

Philip Desjardins is a Counsel in Arnold & Porter's Washington, DC office where he represents medical device, diagnostic, pharmaceutical, dietary supplement and cosmetic companies in regulatory and policy matters View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll