Photo-K - Fotolia

Tip

Applying the new FDA medical device guidance to infosec programs

New FDA medical device guidance demonstrates the need for better cybersecurity during manufacturing and use. Expert Nick Lewis explains how enterprises can use the recommendations.

U.S. government laws, regulations and guidance do not move as quickly as the technology community, and, many times, are late in responding to long-awaited and urgent requests to keep up with the times. The government needs to take into account many different stakeholders -- including the international community -- and the possible effect new guidelines would have on them, such as the impact on the industry and changes to the entire product lifecycle.

The healthcare sector has been under significant pressure to anticipate and prevent data breaches, as well as to secure its complex business and medical systems and devices. In this tip, we'll look at the U.S. Food and Drug Administration's (FDA) medical device cybersecurity guidance for manufacturers and share how enterprises can incorporate it into their information security programs.

FDA medical device cybersecurity guidance

The FDA released its new medical device guidance, "Postmarket Management of Cybersecurity in Medical Devices," in December 2016. The guidance is fairly high level, and builds upon the work from NIST and other agencies. It covers general principles, risk management, remediating and reporting vulnerabilities, reporting requirements, participating in information sharing and analysis organizations, and the elements of an effective postmarket security program. All these aspects are meant to cover the entire software development lifecycle of the device, as well as hardware development, and to provide recommendations on how to include security all the way through to device's deployment in patient care environments, which involves monitoring and updating the device.

The FDA medical device guidance for manufacturers includes a section on examples of vulnerabilities associated with uncontrolled risk of patient harm and the response actions for remediation. A glaring example is the risk of pacemakers being reprogrammed by an unauthorized user, which surfaced in the previously reported St. Jude Medical's Merlin@home cardiac device.

Incorporating the guidance into enterprise security programs

For the FDA medical device guidance to have the most impact, enterprises need to incorporate it into their information security programs as requirements that device manufacturers need to meet. Otherwise, due to the non-binding nature of the guidance, few medical device manufacturers may actually take the steps to secure medical IT devices. Individuals may even want to look into certain medical devices they might use, and find out how they adhere to the FDA guidance, if at all.

One other area that the guidance could have expanded upon is additional implementation details or hard requirements, like requiring participation in an information sharing and analysis organization.

The FDA medical device guidance has many good recommendations on how enterprises should treat medical devices with IT components as an important part of their IT infrastructure. Enterprises should start including the medical devices in their information security and IT risk management programs, and should apply standard security controls to the devices as appropriate. The devices can be tested for security, similar to other hardware, software or services, through vulnerability scanning, network monitoring and more.

The FDA also recommends assessing the risk of harm to patients from a vulnerability being exploited. This assessment could include evaluating the risk from network downtime for a particular medical device and ensuring business continuity and disaster recovery plans are in place, so the enterprise knows how to respond during such an event. The enterprise should also ensure that only authorized users can change the settings on a device, such as a pacemaker, so that the patient can feel safe when it is surgically implanted.

Conclusion

Healthcare networks and ecosystems are diverse and very complex, containing many different types of devices, including legacy systems that require high levels of security to protect people and sensitive data. The Health Insurance Portability and Accountability Act has been the legislative standard for over 20 years, but more specific guidelines are needed to keep pace with the rapidly changing environment.

The FDA medical device guidance puts more pressure on manufacturers to ensure their devices are secure. With constant data breaches and security issues in healthcare, it is not futile to protect medical devices and systems that are critical to the health and well-being of society. 

Next Steps

Learn from the healthcare CISO perspective of the challenges in securing medical devices

Find out if unenforceable medical device guidance can still have positive outcomes

Read about the challenges of managing internet of things devices in healthcare

Dig Deeper on Security operations and management