Medical devices expected to step up digital defenses

We all would like to think that the place where we feel most vulnerable – a health care facility – is as safe as it could be. No wonder the recent reports claiming it is possible – even easy – to remotely manipulate a piece of medication dispensing equipment, access bloodwork results, or alter digital medical records attracted so much attention.

Clearly, the issue has the U.S. Food and Drug Administration’s (FDA) attention, as evidenced by its draft guideline on cybersecurity for medical devices and the warning to address the cybersecurity risks, both issued in June 2013. With the rise of wireless, Internet, and networking technologies in medical devices, the need for effective cybersecurity measures to assure device functionality and to secure patient information has become more important than ever.
 

FDA Guidelines

The FDA guideline calls on medical device manufacturers to consider security during device design and to consider cybersecurity risks as part of the required risk analysis. Additionally, a matrix linking the risks to the control measures is recommended. Although the FDA guidelines themselves are not legally binding, they do represent the FDA’s view, or interpretation, of the regulations. Therefore, manufacturers can expect the FDA to request evidence that the guideline is followed when submitting the 510(k) documentation for clearance or a Premarket Approval Application (PMA).

The guideline lists the following vulnerabilities that can impact medical devices and hospital network operations:

• Failure to provide timely security software updates and patches to medical devices and to address related vulnerabilities in older medical device models that may have operating systems that are no longer supported
• Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection
• Network-connected/configured medical devices infected or disabled by malware
   

The FDA guidance on cybersecurity states that manufacturers should consider three principles and develop a set of security controls to assure medical device cybersecurity: confidentiality, integrity, and availability.

• The confidentiality principle holds that data should be accessible to authorized persons only, and an authentication system with proper usernames and passwords, biometrics, and time-outs should be in place.
• The integrity principle is in place to ensure accuracy of data. It calls for a secure system so that data cannot be improperly modified and for secure coding, encryption, environmental guidelines, locks on devices and ports, secure firmware updates, and similar.
• The availability principle aims to provide assurance that system and information are available when needed through secure coding, encryption, emergency access options, and proper fail-safe and recovery features.
   

To demonstrate to the FDA that cybersecurity has been properly addressed, section five of the guideline calls on medical device manufacturers to specifically provide the following documentation:

1. Evidence of risk assessment – A specific list of all cybersecurity risks considered in design and a specific list of all controls and justifications
2. Traceability matrix – A matrix that links actual cybersecurity controls to identified risks
3. Safe lifecycle – A systematic plan for providing updates, patches for the operating system and device software
4. Malware protection – Documentation to demonstrate that the device is provided free of malware
5. Anti-virus documentation – Device instructions for use and recommended anti-virus software or firewall use in life, even if it is anticipated that users may employ their own virus protection software
    

In addition to the FDA requirements, many hospitals require manufacturers to provide evidence that their devices are secure and not susceptible to cybersecurity risks. The best way for manufacturers to demonstrate that their devices are hardened against attacks is to integrate cybersecurity solutions during the early stages of product development and document the assessment and remediation actions.

Manufacturers can also implement a a three-prong cybersecurity lifecycle approach to evaluate susceptibilities:

1. Risk assessment to identify all possible attack threats, objectives, and methods
2. Prioritize the highest risk threats, objectives, and methods, and develop remediation plan and/or compensating controls to mitigate the risks
3. Scan for vulnerabilities to identify which vulnerabilities have controls. Those without controls are likely to provide an opportunity for a cyber-attack
    

As the industry, public, and regulatory agencies become more aware of the issue, a variety of services are being developed and introduced to the market. The services help manufacturers analyze current threats and vulnerabilities within medical device software and communication systems and range from design consulting, assessment and testing, and finally, remediation. These services can help companies not only meet regulatory and health care provider purchase requirements but can also protect the brand name and reputation by reducing the possibility of a successful attack.

Cybersecurity experts should work alongside the design team to identify the potential cybersecurity risks based on the device features and help them design a more secure product. They advise on methods to address the risks, document them, and suggest controls to manage the risks. Devices should undergo a number of assessments or tests to identify their vulnerabilities:

• A vulnerability assessment to determine how susceptible the device is to cybersecurity attacks from internal or external sources
• Penetration testing consisting of automatic and manual attempts to identify, exploit and penetrate the network, system or application security vulnerabilities to obtain access to the medical device and associated data
• Software source code analysis involving an application security assessment that uses a combination of tools and manual review to assess the security posture of the application
   

Even though we may still feel vulnerable at a hospital for a while, the good news is that significant measures are being taken to reduce the harm from potential cybersecurity attacks. Manufacturers can help ensure digital defenses of medical products by incorporating cybersecurity expertise in the design phase, resulting in safer products in the Internet of Things world. Health care providers, in turn, can include medical device cybersecurity in their governance, risk, and compliance strategy.

TÜV Rheinland
www.tuv.com

About the authors: David Surber is VP Medical Products and Carol Sams is VP Partner Development at TÜV Rheinland. Surber can be reached at 925.249.9123 or dsurber@us.tuv.com, and Sams can be reached at 415.389.0298 or csams@openskycorp.com.