Networked medical devices are an important part of the current and future healthcare landscape, allowing for diagnostic analysis and therapeutic treatment options that are integral to our healthcare system.
When a technology becomes fundamental to healthcare, the measures protecting it and its users merit thoughtful analysis and oversight. Recognizing this, federal agencies are now publicly acknowledging and seeking to address the potential threat to the privacy of personal medical information and to patients relying on networked medical devices for diagnosis and treatment.
"Medical devices that contain computer hardware or software or that connect to computer networks are subject to the same types of cyber vulnerabilities as consumer devices," Suzanne Schwartz, director of emergency preparedness and medical countermeasures at the Center for Devices and Radiological Health of the US Food and Drug Administration (FDA), wrote in a blog post. "Strengthening the cyber security of medical devices requires collaboration and coordination among many stakeholders."
To help address these realities, the FDA is working with the Department of Homeland Security (DHS), medical device manufacturers, and healthcare professionals to identify and address the vulnerabilities of medical devices in our healthcare system. Though the FDA has not publically named the specific devices of highest concern, previous public reports have linked known vulnerabilities in certain infusion pumps and implantable pacemakers to potentially deadly outcomes from intentional corruption by malicious actors. In at least one instance, a cyber security expert has demonstrated his ability to override the limited safety precautions protecting multiple wireless-enabled pacemakers and command the hacked devices to deliver a potentially deadly 830-volt shock from a laptop up to 50 feet away.
[For more on the security of medical devices, see DHS Investigates Dozens Of Medical Device Cybersecurity Flaws.]
Though the FDA acknowledges that device manufacturers play a primary role in protecting their own products, the agency is ratcheting up oversight of the protection methods selected and how they are implemented. On Oct. 2, it finalized guidance on how device manufacturers should consider cyber security risks as part of the design and development process.
Its guidance emphasizes that medical devices capable of connecting to another device, the Internet or other networks, or portable media are at an increased risk for compromised functionality due to cyber security threats. Vulnerabilities in the security of such devices may arise during initial device development, as well as during the course of normal design updates. To address these vulnerabilities, the FDA recommends that manufacturers take extra precautions to address cyber security threats and document those precautions in all relevant new premarket submissions, including 510(k)s, de novo, and premarket approvals (PMAs).
To protect networked devices, the FDA recommends that manufacturers consider controls such as limiting access to devices via authentication features, using layered authorization models based on specific user needs, and implementing methods for retention and recovery of device configuration by authenticated users. For purposes of documentation, manufacturers should provide a formal hazard analysis of the risks associated with the device, as well a description of the plan for how identified and unidentified cyber security risks have and will be addressed. Failure to heed the recommendations on the implementation of appropriate controls or documentation of those controls could result in delayed or even denied premarket submission reviews.
The non-binding recommendations will help provide more direction in this area, particularly for small manufacturers that may not have access to dedicated cyber security experts. And even the best-prepared manufacturers can benefit from the documentation suggestions the guidance provides. By outlining cyber security premarket submission content recommendations, the FDA could lay the groundwork for a new category of de facto required information that will be needed for the agency to adequately review premarket submissions for connected devices.
The FDA recommendations would appear appropriate for many class III networked devices -- such as implantable pacemakers -- that support or sustain human life. However, for class I and II devices -- particularly those that may not be fully networked but are capable of connecting to portable media such as USB devices and CDs -- the recommendations may be overly prescriptive. Though the FDA acknowledges that manufacturers should carefully consider the balance between cyber security safeguards and the device's usability, there is considerable expectation that the agency will weigh more heavily the desire for strong security measures taken by a manufacturer than the cost those measures have on device usability and functionality. Manufacturers may be asked to walk a fine line in following the recommendations while still providing customers the software access and flexibility they want and need.
Given the federal government's increased concern about cyber security in general, device manufacturers are well advised to closely evaluate the security processes they are applying to the design of their products. That includes, at a minimum, identifying and addressing the cyber security risks of the devices they manufacture and documenting the steps the manufacturer has taken to implement appropriate risk-mitigation measures.
How the cloud, virtualization, mobility, and other network-altering trends impact security -- and the IT pros responsible for infrastructure protection. Get the Network Security Career Guide issue of Network Computing today.