How medical device manufacturers can address new FDA cybersecurity guidelines

Medical devices are vulnerable to cyber attacks

In recent years, hackers have successfully targeted medical devices in numerous high-profile incidents involving attacks on insulin pumps, pacemakers, and other critical devices. While the reported percentages of medical devices with vulnerabilities vary widely depending on the study and the specific device tested, a significant portion of medical devices in use today contain security vulnerabilities that malicious actors can exploit.

A 2018 report by the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) found that 71% of medical devices tested had at least one cybersecurity vulnerability. Another study from The University of California, San Diego, found that nearly 70% of medical devices tested had vulnerabilities that could be exploited by attackers.

Given the modern advancements in technology that have made medical devices more connected than ever and the devastating impacts a successful cyber attack can have on the healthcare industry, healthcare organizations and medical device manufacturers must take action to secure and protect devices before entering a new market. To address this escalating issue, the FDA recently issued guidance requiring all new medical device applicants to submit a comprehensive cybersecurity plan.

The FDA’s new medical device cybersecurity guidance

The FDA’s mandated cybersecurity plan for all new medical device applications requires an outline of how devices will be monitored, updated, patched, and remediated. Applicants are required to provide “reasonable assurance” that the device and related systems are secure. Furthermore, a prepared Software Bill of Materials (SBOM) must be given, showing all the code (including commercial, open-source, and off-the-shelf components) involved in the device's operations.

The key required security deliverables to include in the medical device application involve:

1. Risk analysis and management. A comprehensive risk analysis and management plan that identifies and addresses potential security threats to the medical device.
2. Software validation and testing. Documentation that demonstrates that the software and firmware in the medical device have been properly validated and tested to ensure they are secure and meet the FDA's requirements.
3. Access control and authentication. Documentation that shows that the medical device has proper access control and authentication mechanisms in place to prevent unauthorized access.
4. Encryption and data protection. Documentation that shows that the medical device has proper encryption and data protection measures in place to protect sensitive data.
5. Incident response plan. An incident response plan that outlines how the manufacturer will respond to security incidents and data breaches.
6. System configuration and management. Documentation that shows that the medical device has proper system configuration and management controls in place to ensure its security and compliance with the FDA's requirements.
7. Security training. Documentation demonstrating that employees and users of the medical device have received appropriate security training.

By preparing these deliverables, medical device manufacturers can help ensure that their devices meet the FDA's requirements for security and can be safely brought to market in the United States.

Many manufacturers overlook critical compliance steps

The reporting required for an application is quite extensive, and any delay or kickbacks will lead to a delay in getting a product to market.

One way to avoid delays is to work with a third-party advisor to get a comprehensive security assessment. High-quality assessment reports include the identification of vulnerabilities, a risk assessment, and remediation recommendations — all types of deliverables needed to present to the FDA to ensure the application is accepted in the first round.

Coalfire has vast experience working with the FDA and has a deep understanding of their cybersecurity requirements. Our experts can provide clients with a detailed security assessment report that can be used to demonstrate compliance with FDA’s cybersecurity requirements. We can also provide continuous support to ensure that a medical device remains secure.