In-brief: The U.S. Food and Drug Administration (FDA) on Friday issued new guidelines, calling on medical device makers to do a better job addressing cyber security vulnerabilities and exploits as part of their management of deployed medical devices.
The U.S. Food and Drug Administration (FDA) on Friday issued new guidelines, calling on medical device makers to do a better job addressing cyber security vulnerabilities and exploits as part of their management of deployed medical devices.
The FDA’s so-called “postmarket” guidance follows the approval of similar guidance for so-called “premarket” devices that are under development by device makers in October, 2014. Unlike the premarket guidelines, however, the new document covers a huge population of medical software and hardware that is already in use at medical facilities across the country.
The guidance contained in the document is non-binding. However, it acts as a kind of guidepost for medical device manufacturers as well as for customers and private sector security researchers who find vulnerabilities in medical devices.
The FDA calls on medical device manufacturers to “implement comprehensive cybersecurity risk management programs” that include a way to handle complaints from customers and researchers, conduct quality audits of postmarket devices, perform software validation and risk analysis on medical devices and take corrective action to address known flaws.
[Read Security Ledger coverage of medical device security.]
Priority should be given to vulnerabilities that “may permit the unauthorized access, modification, misuse or denial of use of devices” or provide unauthorized access to information stored on the device or transferred from it, the FDA recommends.
Among other things, medical device manufacturers are advised to adopt a “coordinated vulnerability disclosure policy and practice” akin to what many software firms have implemented in recent years. Device makers are also urged to participate in an information sharing and analysis organization (ISAO) akin to those in the banking, energy and (more recently) automotive sectors.
“Postmarket cybersecurity information may originate from an array of sources including independent security researchers, in-house testing, suppliers of software or hardware technology,” the document reads. “Sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful postmarket cybersecurity surveillance program.”
The guidance is a good start, wrote Kevin Fu of the University of Michigan, an expert on the security of medical devices. “Tere’s a lot that the FDA guidance gets right,” Fu wrote on Tuesday, noting that securing the huge population of deployed products is a far more difficult task than setting guidelines for products that are still under development, but haven’t reached the market.
“The post market guidance is mostly about people and effective communication,” Fu said.
Still, he took issue with parts of the guidance, which zero in on the security risks of “networked” and “connected” medical devices, which Fu considers a “red herring.”
“A network is not necessary for a cybersecurity exploit; malware gets in just fine by unhygienic USB drives carried by unsuspecting personnel. Social engineers still use telephones to trick personnel into enabling unauthorized remote access,” Fu notes. In its final guidance, the FDA should focus on the “outcomes of compromise and risks of vulnerabilities” rather than the different attack modes and methods, which Fu observes are “constantly evolving.”
The security of medical devices from cyber attack has been an area of increasing concern for the FDA. In addition to the premarket guidance it issued in 2014, the agency has issued specific recommendations, for example, regarding the use of certain wireless security protocols with medical devices. The FDA has also sponsored a series of meetings to hash out issues related to medical device security. On Wednesday and Thursday, the agency is hosting yet another on Collaborative Approaches to Medical Device Cybersecurity.
Device makers have been slow to address security issues when they are reported. But Fu notes that medical device makers are only one party in the room. Security researchers need to also act responsibly. “Security folks who discover potential problems need be aware of timescales for responses to responsible security vulnerability disclosures,” he said.
In a panel at the FDA forum on Wednesday, experts said the document will make it easier for medical device makers to see cyber security as part of the existing Quality Systems Approach (QSA) that govern other aspects of medical device design and creation.
Joshua Corman of the firm Sonatype said that tried and true information security practices like information risk assessment and threat modelling are absent at many manufacturers, which lack in-house domain experience in information security and defense.
“We need to take the domain knowledge from cyber security and the domain knowledge from physical safety and combine the two,” he said.
A draft has been released to the public so that the agency can collect comments.