In September 2023, the United States Food and Drug Administration published its latest guidance document (docket # FDA-2021-D-1158) on the cybersecurity of medical devices. This is an update to the final guidance issued in October 2014, called “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” It contains the regulatory body’s recommendations for the cybersecurity design, labeling, and documentation of medical devices.
Aimed at advancing the security of medical devices and their resilience from cyber threats, the guidance document includes details on factors to take into account to maintain system quality as well as the information needed for premarket safety regulation submissions.
A welcome development in cybersecurity
In line with the Biden government’s push for better cybersecurity in response to modern threats, the recently-issued FDA Cybersecurity Guidance document highlights the importance of broadening security visibility. Everyone needs to keep up with the impact of expanded digitalization and internet penetration. As devices gain modern functions and connectivity, they contribute to the expansion of cyber attack surfaces and the possible weakening of cyber defenses.
For nearly a decade now, the regulations on medical devices have been formulated without emphasizing cyber risks. Policymakers were already aware of the potential cyber attacks on connected medical devices, but not the kind of sophistication and aggressiveness the healthcare industry is facing now. Many electronic products used in healthcare are essentially little computers that are predisposed to various cyber threats. They are also remotely controllable and online, so it makes perfect sense to secure them from hackers and other bad actors.
Also, the regulations of the past have not taken into account the changes in the IT architecture and environments. Back then, it was acceptable to set up perimeter defenses. Nowadays, with the advent of the Internet of Things, wearables, embedded devices, and cloud computing, on-premise and perimeter-based protection no longer suffice. Devices and apps need to be secured at different levels to address different kinds of attacks effectively.
Cybersecurity guidance updates: notable highlights
One of the crucial details of the FDA’s September 2023 cybersecurity guidance for medical devices is the need to take cybersecurity beyond security validation and risk management. In particular, the guidance aims to have device manufacturers more involved in the cybersecurity of their products. Consumers should not bear most of the burden of ensuring robust cybersecurity. Device users have an important role to play in keeping threats at bay. However, device makers are in a better position to secure their products since they have the final say on the hardware and software used.
Ensuring Code Integrity
The FDA guidance recommends that device makers ensure the integrity of the code used in their products and ascertain data protection, especially when it comes to external inputs. Of note, malicious software is still a major problem for modern cybersecurity, but they are not the main threat. Devices can be compromised without using malware by taking advantage of code vulnerabilities like the possibility of having memory or buffer overflows.
Memory overflows occur when the data written on the allocated storage of a memory buffer exceeds the capacity of allocation. This can result in overwrites on adjacent memory clusters, which can cause apps to become dysfunctional or create opportunities for attacks. For example, a memory overflow leads to the modification of the execution path of a program, which can trigger a response that may cause file corruption or the divulgement of private information. It can also lead to the execution of malicious code, including code that grants the attacker access to IT systems.
As such, the FDA guideline recommends that organizations should “validate that all data originating from external sources is well-formed and compliant with the expected protocol or specification.” The buffer overflow vulnerability should be addressed before a medical device is made available to the market. This is done through rigorous code reviews and security validation measures.
Leveraging Advanced Intrusion Detection and Prevention Systems
Two of the modern cybersecurity solutions cited in the FDA guideline are host-based intrusion detection systems and host-based intrusion prevention systems (HIDS/HIPS). These are particularly geared towards endpoints such as workstations, laptops, smartphones, wearables, and IoT devices. They take advantage of third-party software tools to undertake various defensive measures that address anomalous activities.
These tools can send alerts to device users so they can address possible threats promptly. They can also generate activity logs especially whenever something malicious is detected, and reset network connections. Also, they can automatically drop malicious data packets and cut traffic from suspicious IP addresses to control intrusive activities before they can inflict significant damage.
There are HIDS/HIPS solutions currently available that can perform runtime intrusion and prevention functions without necessitating the installation of a full-fledged cybersecurity solution in a device, especially in low-resource (low-CPU, low-storage) devices like IoT appliances and wearables. Organizations should be taking advantage of these solutions to ensure the cybersecurity products throughout their product lifecycle.
Conventionally, device makers release security patches or firmware updates to address recently discovered security issues in their products. This is no longer enough at present, given how rapidly threat actors manage to compromise systems and inflict irreversible damage on the IT assets of their victims. HIDS/HIPS systems that can protect low-resource devices are particularly helpful at a time when more and more organizations adopt IoT gadgets and other low-resource devices in their everyday operations. They address the weaknesses of the reactive nature of conventional security patching and bring modern organizations towards proactive cybersecurity.
Cybersecurity: a shared responsibility
So what does the updated FDA cybersecurity guidance mean for the medical device industry? It means enhanced device protection that fairly compels device manufacturers to play a bigger role. Some may express contention over this slight shift in cybersecurity policy since it can mean more obligations for businesses which may entail more costs.
However, it is a commendable regulatory move given how device users have taken up most of the burden of cybersecurity for the longest time. Also, there are many things device makers can do to promote cybersecurity that users cannot, especially given the changing cyber threat landscape wherein conventional defenses are no longer effective.
The FDA’s 2023 cybersecurity guidance is a boon for the medical device industry as it helps ensure that only safe products are available on the market. Also, it guides businesses to be more dynamic in dealing with cyber threats, which are inevitable in the modern world and should be treated seriously given the life-or-death implications of using modern medical devices.
Interesting Related Article: “The FDA’s Role in Regulating Nasal Spray Manufacturers“