Concern over the security of networked medical devices appears to be spreading, with FDA now weighing in on the matter.
FDA in June issued a safety bulletin, titled, "Cybersecurity for Medical Devices and Hospital Networks," targeting medical device makers, hospitals and health care IT personnel. Also that month, FDA published draft guidance for device manufacturers on managing cybersecurity in medical devices. Interested parties will have until mid-September to submit comments on the guidance, which may lead to formal regulations.
FDA's move follows a 2012 Department of Homeland Security warning on medical device security. The report, titled, "Attack Surface: Healthcare and Public Health Sector," pointed to the communications security of medical devices as a "major concern," citing the potential for medical information theft and malicious intrusion.
Academics and IT security vendors also have highlighted the vulnerabilities of network-attached medical devices.
The FDA documents represent another security consideration for health care organizations already dealing with new HIPAA regulations and the meaningful use program's security risk analysis requirement.
"It is another set of guidance we have to look at," said Jason Thomas, CIO at the Green Clinic Health System based in Ruston, La. "We are still in the middle of doing meaningful use and standing up all of these different systems into the [electronic health record]."
For the moment, the safety communication and draft guidance are not requirements, but recommended actions. The guidance provides a general sense of direction and also paves the way for specific rules and regulations, noted Matthew Neely, director of strategic initiatives at SecureState LLC, a Cleveland, Ohio-based management consulting firm that specializes in information security.
"It's the first step in making a big change," he said.
FDA's Latest Guidance
FDA's medical device cybersecurity guidance marks a return to a topic FDA addressed eight years ago. In 2005, the agency published recommendations regarding the security of medical devices containing off-the-shelf software. In its latest foray, FDA said it has become aware of "vulnerabilities and incidents" that could affect medical devices or hospital networks. The agency's safety communication listed a number of problems including malware infecting or disabling network-connected medical devices, uncontrolled distribution of passwords and failure to deploy security software updates and patches to medical devices in a timely manner.
Against that background, FDA recommends hospitals take the following steps as part of a network security evaluation:
- Restrict unauthorized access to the network and networked medical devices;
- Ensure that antivirus software and firewalls are up-to-date;
- Monitor network activity for unauthorized use;
- Periodically evaluate network components with an eye toward updating security patches and disabling unnecessary ports/services;
- Contact the device manufacturer if a cybersecurity problem appears to surface; and
- Develop strategies to maintain critical functionality during adverse conditions.
FDA's draft guidance for medical device makers, meanwhile, provides advice for manufacturers preparing to notify FDA regarding their plans. The guidance, for example, applies to 501(k) notifications in which manufacturers inform FDA of their intent to bring a new medical device to market. The recommendations also cover premarket approvals (PMAs). FDA requires makers of Class III medical devices, those that support human life, to submit a PMA application to clear their devices for commercial introduction. The PMA process involves a scientific and regulatory review.
The draft guidance recommends that manufacturers "consider appropriate security control methods" for their devices. The FDA's list of suggested methods includes:
- Limiting access to trusted users via authentication approaches such as user ID, password, smartcard and biometric;
- Ensuring secure data transfer to and from the medical device, using encryption when appropriate; and
- Implementing fail-safe device features that protect critical functionality and also deploying features that let organizations recognize, log and act upon security compromises.
Chantal Worzala, director of policy at the American Hospital Association, said the organization welcomes the draft guidance. She said FDA's recommendations highlight the relationship between the IT embedded in medical devices and a hospital's larger IT infrastructure.
"We are at a time when many medical devices come with an IT component," Worzala said. "It is very important that medical device manufacturers pay attention to the security of the IT systems that are part of their devices."
FDA's advice to hospitals, she added, is very much in line with the activities facilities already pursue.
Thomas said he is confident that the way Green Clinic is managing medical device security now "will keep us up to date with the new rules." The clinic recently completed the rollout of Dell SonicWALL firewalls, among other Dell products. The firewall rules, Thomas said, have been set to make sure a given medical device only communications with a particular destination system such as an EHR.
Neely, meanwhile, called the FDA documents "a good start" that should help increase awareness in the health care community.
Paul Christman -- vice president, public sector at Dell Software, which offers security solutions to health care and other industries -- added that FDA's guidance raises the profile of medical device security issues. He said most of the concerns FDA cited are not new, but noted that the agency's focus makes those considerations "front and center" and sparks discussion.
Neely noted, however, that much of the FDA's guidance dwells on basic security steps such as setting passwords and encrypting devices. Neely said he hopes FDA will move forward with more specific recommendations and best practices, once the general guidance receives approval. The more detailed guidance could then be incorporated into FDA's device certification process.
Neely pointed to a couple of security measures he'd like to see included in future FDA guidance. For one, the guidance should call for manufacturers and third parties to test the security features added to medical devices. In addition, FDA should require a review of system design documentation in addition to technology reviews such as penetration tests. He said the documentation review aims to make sure that a device's architecture was designed with security in mind.
FDA guidance may nudge device makers to become more mindful of security. But safer products will still fall short if health care personnel don't deploy them effectively. Neely said FDA should also include, as part of subsequent guidance, instructions on how to secure medical devices when they are put on a network.
"A lot of medical practitioners don't know how to implement them," Neely said of the security features of medical devices.