FDA to product developers: Think about cybersecurity early

Agency issues draft guidance document to help manufacturers consider cybersecurity issues prior to seeking marketing clearance

Contracting executives should consider checking out the cybersecurity-related documentation that prospective vendors provided the U.S. Food and Drug Administration prior to getting clearance to market their device or equipment.

This summer, the FDA issued a draft guidance document for manufacturers recommending how they should document measures taken to “provide effective cybersecurity management and to reduce the risk that device functionality is intentionally or unintentionally compromised.”

According to the FDA, manufacturers should develop a set of security controls to maintain information confidentiality, integrity and availability:

  • “Confidentiality” means that data, information, or system structures are accessible only to authorized persons and entities and are processed at authorized times and in the authorized manner.
  • “Integrity” means that data and information are accurate and complete and have not been improperly modified.
  • “Availability” means that data, information, and information systems are accessible and usable on a timely basis in the expected manner.
  • Manufacturers should define and document key components of their cybersecurity risk analysis and management plan, including:
  • Identification of assets, threats, and vulnerabilities.
  • Impact assessment of the threats and vulnerabilities on device functionality.
  • Assessment of the likelihood of a threat and of a vulnerability being exploited.
  • Determination of risk levels and suitable mitigation strategies.

Potential security features
The FDA recommends that developers of medical equipment and devices provide justification in the premarket submission for the security features chosen, and that they consider appropriate security control methods for their medical devices, including:

  • Limit access to trusted users only (with user IDs, passwords, smartcards, biometrics, etc.).
  • Ensure trusted content (by restricting software or firmware updates to authenticated code; using systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer; etc.).
  • Use fail-safe and recovery features, which 1) protect the device’s functionality, even when its security has been compromised; 2) allow for security compromises to be recognized, logged, and acted upon; and 3) provide methods for retention and recovery of device configuration by an authenticated system administrator.

FDA guidance documents do not establish legally enforceable responsibilities. Instead, they describe the agency’s current thinking on a topic and should be viewed as recommendations, unless specific regulatory or statutory requirements are cited. To view the draft guidance document, go to http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356186.htm

Sidebar: AHA resources

American Hospital Association members can access a variety of cybersecurity-related resources on the AHA website.

They include:

  • Four questions every hospital leader should ask in order to prepare for and manage cybersecurity risks.
  • Top six actions to manage hospital cybersecurity risks.
  • AHA member webinar series: Cybersecurity for healthcare leaders.
  • Factsheet: Hospitals implementing cybersecurity measures.

To access the website, go to http://www.aha.org/advocacy-issues/cybersecurity.shtml.

Sidebar: Make MDS2 part of the procurement process

Contracting executives can get need-to-know, security-related information about the networked devices and equipment for which they are contracting with the “Manufacturer Disclosure Statement for Medical Device Security (MDS2).”

Developed by the Healthcare Information and Management Systems Society (HIMSS) and standardized through a joint effort between HIMSS and the National Electrical Manufacturers Association (NEMA), the MDS2 form provides medical device manufacturers with a means of disclosing the security-related features of their medical devices. Providers can use it to assess the vulnerabilities and risks associated with protecting the health information transmitted or maintained by medical devices.

Key benefits of using a standardized form, according to HIMSS and NEMA, include:

  • Provides a comprehensive set of medical device security questions developed through broad stakeholder participation and medical device vendor buy-in.
  • Allows for easy comparison of security features across different devices and different manufacturers.
  • Facilitates the review of the large volume of security-related information supplied by manufacturers.

To learn more about the “Manufacturer Disclosure Statement for Medical Device Security,” and to download a copy, go to http://www.himss.org/resourcelibrary/MDS2?navItemNumber=21740.