FDA Releases Security Guidance for Medical Devices

As more industries have embraced data and digital technologies, the need for better cybersecurity has become increasingly clear. The medical sector, in particular, has seen rapid digitization over the past few years and security standards have yet to catch up. New guidance from the Food and Drug Administration (FDA) aims to fix that.

On April 8, 2022, the FDA released draft cybersecurity guidelines for medical devices. If these regulations go into effect, they’ll replace the last update from 2018 and hold the health electronics sector to a higher set of standards.

What Does the FDA Guidance Entail?

The draft guidelines cover many specific regulations across every stage of the device life cycle. These fall under four general principles:

● Cybersecurity as part of device safety and quality system regulations (QSR)

● Designing for security

● Transparency

● Submission documentation

Cybersecurity as Part of Quality System Regulations

The first principle holds that a device’s cybersecurity architecture and the security surrounding its development are a critical part of whether you can consider it a quality system. That means medical devices and the teams that create them must establish and meet relevant security benchmarks.

What these benchmarks are varies depending on the risks the device poses. The more vulnerable a device or its data is, the more robust its cybersecurity standards should be. The FDA recommends creating a secure product development framework (SPDF) to identify and reduce vulnerabilities from the start to meet these requirements.

Designing for Security

The next principle judges a device’s security by looking at five categories:

● Authenticity

● Authorization

● Availability

● Confidentiality

● Updatability

These objectives are fairly consistent with existing guidelines. The Health Insurance Portability and Accountability Act (HIPAA), for example, requires access controls and encryption for protected health information (PHI). Providing sufficient authorization and confidentiality controls helps meet those standards.

Like the first principle, the standards for these objectives vary depending on the number and severity of a device’s vulnerabilities. The FDA also stresses that device manufacturers should address each category during design, not simply by adding extra security measures after production.

Transparency

In the draft, the FDA states that a lack of information about a device’s security can hinder its safety and efficacy. As a result, manufacturers need to provide instructions on how to use and secure their products properly.

While this may not seem like a normal cybersecurity step, it’s an important one for the industry. Basic human error accounts for as much as 31% of data breaches in healthcare. If device manufacturers make it easier for users to understand the vulnerabilities they may face and how to mitigate them, they can prevent many incidents.

Submission Documentation

The final principle of the draft regulations covers what device manufacturers should report to the FDA. Before bringing a product to market, businesses have to disclose any security risks, directions for use, security controls, and recommended extra protections. This documentation should cover not just the device itself but also the broader environment it will find itself in to put risks in context.

Why the Medical Industry Needs New Security Standards

These suggested regulations could be a substantial step forward for the medical industry. Medical devices, especially internet of things (IoT) gadgets, have exploded in popularity over the past few years. However, many of them may introduce unnecessary risks since the last FDA guidance on security standards was a 2018 update to a 2014 regulation.

Since then, cyber risks in healthcare have become far more common. The number of patients affected by healthcare cyberattacks has tripled since 2018, impacting 45 million people in 2021. While adopting new technologies can help deliver better care, it also puts sensitive data at risk if hospitals can’t secure these devices.

As hospitals implement more IoT devices, their attack surfaces expand and give attackers more chances to steal their valuable data. Part of the responsibility to stop these attacks falls to device manufacturers, as it’s easier to ensure safety if devices are secure by design.

These new guidelines should help ensure manufacturers meet that standard and make sure hospitals can advance while keeping patient data private.

Medical Cybersecurity Is Evolving

While this guidance is still just a draft, it represents a promising step forward. The healthcare industry is taking cybersecurity more seriously, as it should, given its rapid digitization.

Implementing these device controls won’t stop every cyberattack. However, they will stop many and make it easier for hospitals and other users to keep their systems secure. All businesses involved in this industry should keep a close eye on these regulatory developments to stay compliant and safe.