Understanding Cybersecurity Threats to Medical Devices
The threat of cyber-attacks against medical devices is real. Medical devices capable of connecting, wirelessly, wired, or to portable media such as a USB drive, are more vulnerable to cybersecurity threats than unconnected devices.
We now know that cyber-criminals can hack into medical networks through relatively simple means. Although there have been no documented cases of attacks on medical devices such as pacemakers, defibrillators, and infusion pumps, security researchers have warned the healthcare industry that it lags far behind the computer industry in protecting devices from hackers.
It was a warning such as this in 2018 that led Medtronic to disable internet updates to more than 34,000 of its CareLink programming devices that are used by healthcare providers around the world to access implanted pacemakers. This action was taken by the company after researchers discovered that the system was vulnerable to cyber-attacks. Understanding that the threat of such an attack can cause alarm to patients who may have devices connected to the CareLink network, the FDA issued a safety notice announcing that it had reviewed the matter and approved of Medtronic’s decision to disable the internet updates.
The FDA’s Role in Medical Device Cybersecurity
The FDA’s mission for any product under their purview is to ensure that it is safe and effective. This means that it must be safe during the development stage and must remain safe after it has been placed on the market. Essentially, the Agency is involved in the entire lifecycle of the product when it comes to cybersecurity. Its concern is not only to ensure that the product is safe and effective when used as intended, but also that the function of the device isn’t compromised due to cybersecurity risks.
The Agency has published pre-market and post-market guidance documents that offer recommendations for comprehensive management of medical device cybersecurity risks, continuous improvement throughout the total product life-cycle, and incentivize changing marketed and distributed medical devices to reduce risk.
Each guidance document was created based on the recognition that medical device security is a shared responsibility between stakeholders, which includes manufacturers of medical devices, healthcare facilities, providers, and patients. Failure to maintain adequate cybersecurity can result in compromised device functionality, loss of personal and medical information, or exposure of other connected devices or networks to security threats. Such exposure could result in patient illness, injury, or death.
The FDA’s Pre-Market Guidance
This guidance is intended to assist the industry by identifying potential cybersecurity-related issues that manufacturers should be considered when designing and developing a medical device as well as when preparing pre-market submissions for those devices.
It’s the FDA’s position that manufacturers focus on mitigating patient risk in a robust and efficient manner. This mitigation can be done by following the cybersecurity framework developed by the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover.
While identifying threats, manufacturers should balance cybersecurity safeguards and the usability of the device in its intended environment to ensure that the security controls are appropriate for the intended users. The Agency recommends that medical device manufacturers provide justification for the security functions chosen for their medical devices in their pre-market submission.
Manufacturers can protect users by limiting access to only trusted users. This can be done in ways that include the use of passwords, smartcards, biometric scanners, a layered authorization model, multi-factor authentication, physical locks on devices and their communication ports, and automatic timed methods to terminate sessions within the system.
Additional protections include restricting software or firmware updates to authenticated code, using systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer, and ensuring the security of data transfer to and from the device through encryption. Manufacturers should also:
- Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use
- Develop and provide information to the end user concerning appropriate actions to be taken upon detection of a cybersecurity event
- Provide methods for retention and recovery of device configuration by an authenticated privileged user
The FDA’s Post-Market Guidance
Post-market guidance also follows NIST’s framework: Identify, Protect, Detect, Respond, and Recover.
Manufacturers are required to analyze complaints, returned products, service records, and other sources of quality data to identify existing and potential causes of nonconforming products or other quality problems (21 CFR 820.100). Manufacturers are encouraged to actively identify cybersecurity signals that might affect their product and engage with the sources that report them.
Regarding protection and detection, among other things, the FDA recommends that manufacturers characterize and assess identified vulnerabilities because doing so will provide information that will aid manufacturers with triaging remediation activities. When characterizing the exploitability of a vulnerability, manufacturers should consider factors such as remote exploitability, attack complexity, threat privileges, actions required by the user, exploit code maturity, and report confidence.
Manufacturers should conduct cybersecurity risk analyses that include threat modeling for each of their devices and update those analyses over time. The Agency also recommends that manufacturers analyze possible threat sources, which encompass the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.
Regarding responding and recovering, the Agency recommends that manufacturers assess and provide users with compensating controls such that the risk of patient harm is mitigated. Reporting and remediating are also essential components of any manufacturer’s response to a cybersecurity event.
Once all related information has been assessed and characterized, manufacturers should determine if the risk of patient harm presented by the vulnerability is adequately controlled by existing device features and manufacturer-defined compensating controls. Finally, the actions that are taken should reflect the magnitude of the problem and align with the risks encountered.
Cybersecurity is Ultimately the Manufacturer’s Responsibility
While cybersecurity is seen as a shared responsibility among all stakeholders, the ultimate responsibility for cybersecurity lies with the manufacturer. It’s their product, so it’s their responsibility. Fortunately, the FDA has issued comprehensive recommendations that, if followed, will either prevent or mitigate the impact of a cybersecurity attack.