Medical devices are increasingly being connected to hospital networks, the internet, patient home networks, and to other medical devices. This broad sharing of information allows physicians to respond to patient needs more quickly and tailor treatment plans based on outputs from medical devices in use. However, these capabilities also increase the risks associated with cybersecurity. Medical devices are vulnerable to similar cybersecurity risks as most other computer systems and require a layering of controls to protect patient information and help avoid patient harm.
Medical Device Security and Managing Cybersecurity Risks:
Medical device manufacturers should monitor for cybersecurity threats and vulnerabilities associated with their devices. Manufacturers must comply with various federal regulations. One set of regulations, i.e., Quality System Regulations, includes requirements for the manufacturer to address all risks, including cybersecurity risks. Medical devices can, and should, be updated in response to identified security risks. According to the FDA.gov site, the FDA does not usually need to review changes made to medical devices solely to provide strengthened cybersecurity controls. Additionally, the manufacturer is responsible for validating all software design changes to address cybersecurity vulnerabilities. When off-the-shelf- software is used within medical devices, the manufacturer is responsible for security, safety, and performance of the device utilizing the software. The FDA recommends that organizations delivering healthcare should work closely with the manufacturers of devices used within their facilities to communicate about changes and updates being made to address security risks.
FDA’s Guidance on Cybersecurity Risks within Medical Devices
In October 2018, the FDA issued guidance to medical device manufacturers for improving cybersecurity protections on their devices. One of the main components of the guidance states that manufacturers of medical devices should use a risk-based approach when determining device design features and the level of cybersecurity resilience appropriate for the device. The two tiers of cybersecurity risks were defined within the guidance as:
Tier 1: Higher Cybersecurity Risk
The device is capable of connecting (wired or wirelessly) to another medical or non-medical product, or to a network, or to the Internet -AND- a cybersecurity incident affecting the device could directly result in patient harm to multiple patients.
Tier 2 – Standard Cybersecurity Risk
These medical devices don’t meet the criteria for a Tier 1 device.
The guidance also offers input on managing cybersecurity-related risks for medical devices based on the NIST Cybersecurity Framework. Additionally, it outlines specific labeling recommendations to communicate to end-users relevant security information. These recommendations include, but are not limited to:
- Device instructions and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-virus software, use of a firewall)
- Description of the device features that protect critical functionality, even when the device’s cybersecurity has been compromised
- Backup and restore features and procedures to regain configurations
- Description of how the device is or can be hardened using secure configurations
- A list of network ports and other interfaces that are expected to receive and/or send data
- Description of how the design enables the devices to announce when anomalous conditions are detected, such as security events.
Cybersecurity risks associated with connected medical devices are gaining attention. Consequently, expectations of medical device manufactures are being more clearly defined. Responsibilities for overall cybersecurity protections of medical devices and the networks to which they are attached are also being defined. To best protect against cybersecurity risks associated with medical devices, healthcare organizations and medical device manufactures should work closely together to confirm the application of appropriately layered controls to the utilization of medical devices.