FDA Medical Device Cybersecurity: Understanding Your Basic Regulatory Requirements
A hacker gains access to someone’s insulin pump via their wi-fi connection and then overdoses the patient, killing them. A “made for TV” fantasy? Unfortunately not. In 2019 the FDA identified this very real risk to devices made by one of the largest medical device companies in the world.
Fortunately, there is no money to be made in inflicting harm on innocent patients, so hackers generally focus on breaching healthcare computer networks containing patient data, financial records, etc. However, the apparent rarity of direct medical device security breaches by hackers does not absolve you of regulatory responsibility to take precautions to prevent them. Manufacturers, hospital/clinics, and users all play a role in preventing intrusion.
Planning and managing device security requires a cross-functional focus, including quality/regulatory and design coordination.
If your device connects to any sort of network, cybersecurity needs to be an important factor in your risk management process. The risks posed by security breaches are omnipresent and always evolving, so your risk analysis needs to take into account the likelihood that your device could be hacked and the severity of the harm if a vulnerability were exploited. You will need to work with your engineering and design team to make this assessment.
FDA places medical device cybersecurity risks into two buckets
FDA has published a draft guidance document intended to help manufacturers meet FDA guidelines for 510(k) or PMA submissions. In the document, FDA considers devices that connect to the internet, a network, or another device – and where an intrusion could result in harm to multiple patients – to be a Tier 1 (higher risk) device. Examples include devices such as pacemakers, brain stimulators, dialysis devices, infusion and insulin pumps, and connected systems that interact with these devices. Pretty much all other connected devices are considered Tier 2 (standard risk). It is important to note that this classification does not align with FDA device classification policies, a class II device such as an infusion pump may be a Tier 1 cybersecurity risk device, while a class III device such as a cardiac atherectomy device may be a Tier 2 cybersecurity device.
Yes, you are responsible for off-the-shelf (OTS) software embedded in your device
Many device manufacturers assume that OTS software incorporated into their device has been thoroughly tested for security vulnerabilities, and that the device manufacturer bears no responsibility for testing it further. Despite what an OEM supplier has done to test and validate their software, FDA still considers you responsible for 100% of your device, not 90%. This means that you must establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis plan. FDA issued a very short Q&A document on medical device OTS software technology light years ago (2005), but it is worth reviewing because the document addresses some common questions you may have.
Standardized form and cybersecurity bill of materials (SBOM)
The increased focus on awareness and scrutiny of cybersecurity issues has also led to the development of a standardized form that allows manufacturers to disclose the security-related features of their medical devices. The MDS2 form, developed by the Healthcare Information and Management Systems Society (HIMSS) and the Association of Electrical Equipment and Medical Imaging Manufacturers, allows buyers to more easily assess the vulnerabilities and risks associated with a specific medical device.
Complementary to the MDS2 documents is the cybersecurity bill of materials (SBOM) floated by FDA. This is a comprehensive list of all software packages incorporated into the build of software.
Cybersecurity throughout the device life cycle and beyond
A final thing to keep in mind is the risk posed to patients and users after you stop supporting the device. What risks exist for older models once software patches are no longer offered? How will you deal with them? This needs to be part of your overall risk assessment and addressed in your postmarket surveillance plan.
While there has yet to be a published widespread attack on medical devices in the US, it does not diminish the importance of remaining vigilant and taking precautionary steps to prevent such an attack from happening. The number of medical devices connected to the internet and other networks will surely continue to grow, and with it comes the risk that hackers will engage in nefarious activities. Manufacturers must remain vigilant and follow current best practices for cybersecurity.
Want to learn more?
Oriel STAT A MATRIX offers a variety of training classes that can bring your understanding of risk management to the next level. Our ISO 14971 training class is one of our most popular along with our cybersecurity training. Of course, our risk consultants are ready to help as well.