The U.S. Food and Drug Administration (FDA) recently published new guidance aimed at helping medical device manufacturers manage cyber security risks.
Such risks, the FDA notes, include the following:
- malware infections of network-connected medical devices
- malware infections of computers, smartphones and tablets used to access patient data
- unsecured or uncontrolled distribution of passwords
- failure to provide timely security software updates and patches to medical devices and networks
- security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network
“There is no such thing as a threat-proof medical device,” Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, said in a statement. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
The guidance, entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” [PDF], suggests that medical device security functions should include the following (among others):
- limit access to devices through the authentication of users
- use automatic timed methods to terminate sessions where appropriate
- where appropriate, differentiate privileges based on the user role
- strengthen password protection by avoiding hardcoded passwords
- where appropriate, provide physical locks on devices
- require user authentication before permitting software or firmware updates
While much of the guidance may seem pretty straightforward, SailPoint president and founder Kevin Cunningham said by email that it’s a crucial first step.
“If organizations focus on the spirit of the mandate and change their overall behavior, rather than simply focusing on tactical improvements, they’ll be in a much better to enable mobile devices while protecting data,” Cunningham said.
With medical devices accessing sensitive patient data on a regular basis, Cunningham said, concerns regarding their security are highly relevant — particularly if you consider how often customer data is breached when a laptop is lost or stolen.
“When you think of a mobile device containing personal healthcare information, and how easy it is to misplace or steal one of those devices, you can understand why the FDA is focusing on security,” Cunningham said.
Ultimately, Cunningham said, the FDA is taking the right approach to helping manufacturers secure these devices. “They’re clearly saying that security of mobile devices is important, but they’re leaving a lot of latitude to individual organizations around how to address those concerns,” he said.
Even basic guidance could well be of use for many organizations — Forrester Research recently reported that more than 41 percent of healthcare organizations still haven’t deployed endpoint encryption.
The FDA plans to hold a public workshop on medical device and healthcare cybersecurity on October 21 and 22, 2014.