Security news that informs and inspires

FDA Wants to See a Bill of Materials for Medical Devices


The Food and Drug Administration’s updated premarket guidance for medical devices puts the responsibility of developing secure devices directly on the manufacturers. The guidance lays out recommendations on what manufacturers should do before the devices get to market, as well as information to provide when submitting those devices to the FDA for approval.

The premarket guidance takes a “total product lifecycle approach to device safety” and provides security recommendations for device design, labelling, and documentation of “medical devices that have cybersecurity risk,” the FDA said. Manufacturers should also provide a “cybersecurity bill of materials” listing all components that could be susceptible to vulnerabilities when the devices are submitted to the agency premarket for approval.

"Because of the rapidly evolving nature of cyber threats, we're updating our [premarket] guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices," said FDA Commissioner Dr. Scott Gottlieb.

The draft guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices draft is a refresh of the premarket guidance from 2014 and outlines what manufacturers should do mitigate the threat of medical device compromise. The draft, which draws from the National Institute for Standards and Technology’s Framework for Improving Cybersecurity of Critical Infrastructure, covers preventing unauthorized use, ensuring trusted content and maintaining confidentiality of data, and detecting, responding to, and recovering from security threats. The FDA has a separate postmarket guidance, released late 2016, which outlines the risk-based framework manufacturers should use to ensure they can respond to threats on these devices while they are in use.

Designing for Trust

Medical devices are those “containing hardware, software, and/or programmable logic that (1) is reasonably secure from cybersecurity intrusion and misuse; (2) provides a reasonable level of availability, reliability, and correct operation; (3) is reasonably suited to performing its intended functions; and (4) adheres to generally accepted security procedures.”

While designing the devices, manufacturers should consider how they would assess the likelihood of a threat or of a vulnerability being exploited, as well as how to determine the risk level and suitable mitigation strategies. Manufacturers also need to provide users with enough information that they can define their risk acceptance criteria. Manufacturers should consider how to identify assets, threats, and vulnerabilities that can impact the devices, and how to assess the impact those issues could have on device functionality and patient care. The bill of materials would be an important resource in that regard.

The bill of materials is “a list of commercial, open source and off-the-shelf software and hardware components” that make up the device that could be susceptible to vulnerabilities. When vulnerabilities in components, such as in an open-source library or a development framework, are found, the biggest challenge for users is trying to figure out if that component exists in any of the software and hardware they are using. Having a list like this would give users, which encompass patients, providers and healthcare delivery organizations, a specific place to look to see if the vulnerability in question exists in their device.

The draft guidance has specific recommendations on how to label the device so that security information is communicated effectively. The first step is to understand the potential impact to the device and the connected system. Once they do that, they can deploy countermeasures.

“Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted,” said Gottlieb.

Tiers of Risk

The FDA wants to group these devices by “cybersecurity risk,” or the potential harm they could inflict on patients. Tier 1 devices are capable of connecting wired or wirelessly to another device, network or the Internet, making them higher risk because a security incident would directly result in patient harm to multiple patients. Tier 2 devices are everything else, with “standard” risk. Examples of Tier 1 devices include implantable cardiac devices, such as defibrillators and pacemakers; infusion and insulin pumps; and the supporting connected systems that interact with these devices, such as home monitors and those with command and control functionality such as programmers.

To submit Tier 1 devices for FDA approval, manufacturers would need to include “documentation demonstrating how the device design and risk assessment incorporate the cybersecurity design controls described” in the guidance. Tier 2 devices need documentation demonstrating the manufacturer had incorporated the design features and controls from the guidance and providing “a risk-based rationale for why those cybersecurity design controls are not appropriate.”

Not a Solo-Job

Along with releasing the updated guidance, the FDA recently announced a new framework with the Department of Homeland Security to promote more collaboration between the two agencies to address medical device security. The DHS would act as the central vulnerability coordination center for medical devices and work with appropriate stakeholders.The DHS National Cybersecurity and Communications Integration enter will coordinate and enable information sharing between manufacturers, researchers, and the FDA. The FDA would provide the technical and clinical expertise regarding the devices, as well as information about .

The FDA also partnered with the MITRE Corporation on a “cybersecurity playbook” for health care delivery organizations on how to prepare for an incident involving medical devices. The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook include steps such as developing a medical device inventory and conducting training exercises. The FDA’s internal incident response playbook helps the agency “respond in a timely manner to medical device cybersecurity attacks – mitigating impacts to devices, health care systems and ultimately, patients,” Gottlieb said.

“Securing medical devices from cybersecurity threats cannot be achieved by one government agency alone,” Gottlieb said. “Every stakeholder—manufacturers, hospitals, health care providers, cybersecurity researchers and government entities – all have a unique role to play in addressing these modern challenges.”