The document discusses two recent FDA guidance documents regarding cybersecurity for medical devices. The June 2013 guidance addresses cybersecurity controls that should be incorporated into medical devices connected via networks. The August 2013 guidance encourages risk assessments of wireless technology in medical device design. The document provides an overview of the guidance and considerations for medical device manufacturers and healthcare facilities for incident response and reporting of cybersecurity issues related to networked medical devices.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity
1. The FDA and BYOD,
Mobile and Fixed Medical Device Cybersecurity
Published originally for ISSA Journal, September 2013 issue (www.ISSA.org)
Authors: Pam Gilmore, BS Business Administration, ISSA Raleigh, NC member.
Valdez Ladd, CISSP, CISA, COBIT 4.1, CIW-SP, CNSS NSTISSI 4011 ISSP,
MBA. MAIA, Member ISO Technical Committee 215 Health Informatics
Working Group 4 - Privacy & Security
Abstract:
In June 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance: “Content of
Premarket Submissions for Management of Cybersecurity in Medical Devices”. This was followed
on August by the FDA's “Radio Frequency Wireless Technology in Medical Devices Guidance for
Industry and Food and Drug Administration Staff”.
This article is intended for the customer facing risk managers, sales staff, and IT staff of a medical
device manufacturer and their medical doctors and IT hospital and clinical counterparts. It is
intended to give an overview and highlight process considerations for incident management and
reporting of cybersecurity issues.
Disclaimers: This article is an IT security awareness document only. It is not to be considered an
official FDA document guide or consulting tool. Please seek legal counsel and consult your own
corporate IT security along with any additional external professional expertise as deemed necessary
for your business.
Also note that the views expressed here in this article are those of the authors soley and do not
necessarily reflect the positions of any current or former employers or organizations.
2. In June 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance on
titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”.
Its goal is to begin the process of bringing network connected or accessible medical device's
cybersecurity under their jurisdiction. This draft will be accessible for public comment until
mid-September 2013. Final rules are expected to be published in early 2014.
Healthcare is a high security environment. One which is constantly under constant attack. It
is always combating the risk of exposure of protected patient health information (PHI). This
requires using technical, administrative, and physical security controls for network connected
medical devices. Though mobile smartphone and table applications are not covered currently, it is a
good assumption that a security requirement is coming modelled on the current network device
connected draft that this research paper covers.
Therefore it is important that information technology (IT) security professionals not view
this FDA draft through the prism of the customary CIA (confidentiality, integrity & availability)
triad. It is too limited for use within the medical sector. A better heuristic is the more complete
PAINS, (privacy, availability, authentication, integrity, non-repudiation and safety) to account for
the stringent demands of medical devices and applications for patient requirements. (Sloan)
1. Sloane , Elliot B. (PAINS) “Medical Device Security HITECH-AARA and FDA related Security Issues”-NIST/OCR
HIPPA Conference, (11, 12 May 2010) – http://csrc.nist.gov/news.../HIPAA.../1-4-health-devices-sloane-drexel.pdf
Though it surprised some people outside the medical
field, it can be seen as regulations trying to catch up to
the explosion of Internet and network devices. This ranges
from implanted devices such as insulin pumps, patient
medical imaging storage, and wireless medical BYOD
devices to X-Ray, MRI, ultrasound units, and other
diagnostic equipment. Though this is a US regulation, it is
sure to influence many other nations across the world as
they consider their medical device review, acceptance, and
procurement processes and laws to address cybersecurity
risks to patients and their privacy. see figure 1.
2. ElBoghdady, Dina. Health apps under the microscope. 2012. Photograph. chicagotribune.com, Chicago. Web. 7 17
2013.
<http://articles.chicagotribune.com/2012-06-26/business/ct-biz-0626-health-apps-20120626_1_smartphone-application-
mobile-apps-android>.
Illustration 1: (El Boghdady)
3. While the FDA document did not reference outside technical reference there are several
useful expert authoritative documents to consider. First the NIST SP 800-124 Revision 1 covers
securing both organization-provided and personally-owned (bring your own device) mobile
devices.
Also the NIST Special Publication 800-53 (Rev. 4) and 800-53A (Rev. 1) Security Controls
and Assessment Procedures for Federal Information Systems and Organizations should be added to
the list. Finally be familiar with ISO/DTR 17522 Health informatics --Provisions for Health
Applications on Mobile/Smart Devices 2013-01-29 30.20 and ISO/AWI TR 80001-Application of
risk management for IT-networks incorporating medical devices.
Existing Quality documentation processes for existing regulated device error reporting will
have to include cybersecurity knowledge or subject matter expertise. This will allow for capturing
relevant data in the case of a fast moving major security incident. This information should be made
available to the medical device manufacturer's technical support per modality (ultrasound, X-Ray,
blood serum diagnostic, etc.,) and quality control staff. Each may have training for serious incident
hazard reporting, but will need to incorporate cybersecurity. This process will require expert
training and review so their reporting processes can be efficient and compliant.
The degree of harm caused by a major virus infection, rootkit or other malware can be
extensive and possibly fatal. Time will be essential as mobile medical devices increase grows and
connection via wireless networks grows. The same will be true for stationary and mobile imaging
devices. Professional expertise will be needed for the preliminary incident. Basic data gathering
only can be handled over the telephone with the customer.
Beyond the basic five questions of who, what, when, where, and how (if possible) will
require more training and on-site investigation by the manufacturer’s experts for the malware
affected medical device. Semi-automated forensic hardware-and-software tool and processes have
to be made available for deployment by device manufacturers in the USA and other countries that
adopt similar levels of assurance and investigation. The manufacturer's customer facing IT and
modality engineer staff will face growing to incorporate first responder capabilities within this area.
Wireless Radio Frequency (RF) Devices
The FDA's “Radio Frequency Wireless Technology in Medical Devices Guidance for
Industry and Food and Drug Administration Staff” pressures manufacturers to consider the use of
wireless technology in their medical devices. Also it encourages a risk based assessment of RF
wireless technology in the device's design. The report states “The correct, timely, and secure
transmission of medical data and information is important for the safe and effective use of both
wired and wireless medical devices and device systems”. see figure 2.
FDA (2013, August 13). Radio Frequency Wireless Technology in Medical Devices.
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/4GuidanceDocuments/ucm077210.htm
4. The newest and fast growing area in medicine is bring-your-own-device (BYOD). The
range of services and medical references that doctors and clinical staff have at their disposal is a
powerful incentive to use the smartphone, tablet or other mobile device they have learned and
mastered. However as one security expert stated,” Wireless implantable devices and other patient
monitoring equipment "could be a back door into your network," noted Peter Swire, an Ohio State
University law professor and former presidential adviser on privacy issue”. (Desta)
3. Desta, A.,"Content of Premarket Submissions for Management of Cybersecurity in Medical Devices-Draft guidance
or Industry and Food and Drug Administration Staff.US-FDA (2013, 06) -
http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments
4. csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pd
5. csrc.nist.gov/publications/nistpubs/800-53A.../sp800-53A-rev1-final.pdf
6. csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
7. www.iso.org/iso/catalogue_detail.htm?csnumber=59949
FDA Cybersecurity Draft details:
On June 13, 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance
on titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
Draft Guidance for Industry and Food and Drug Administration Staff”. It proposes cybersecurity
controls should be incorporated into vulnerable medical devices that are connected via wireless,
Internet and wired networks. The documentation for this mainly contained in the Premarket
Notification (510(k) and approval process for new medical devices.
Illustration 2: (Gollakota)
5. In addition to the draft guidance, the FDA published a FDA Safety Communication. It was
addressed to medical device manufacturers and their engineers. It was intended for our nation’s
hospitals, clinics, and other health care facilities including their health care information technology
(IT), and procurements staff. This was due to increased publications of cybersecurity issues.
prominent publication was when the US Government Accountability Office (GAO) issued a report
titled, “Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain
Types of Devices” on August 31, 2013. (GAO)
Later in January 2013 cybersecurity Cylance researchers Billy Rios and Terry McCorkle
discovered default embedded passwords for a Phillips, Inc. medical systems. They contacted the
company to communicate the vulnerabilities. However when no response came they contacted the
US Dept. of Homeland Security. (DHS), the Federal Drug Administration (FDA) and the US
Industrial Control Systems Cyber Emergency Response Team (ICS CERT) to persuade Phillips, Inc.
to correct the security flaws quickly.
In addition Cyberlance's Mr. Rios and Mr. McCorkle examined and discovered
vulnerabilities and weak access controls in almost 300 medical devices. An alert published on the
US government's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
website, cited research from Billy Rios and Terry McCorkle of the cyber security firm Cylance Inc.,
who said they have identified more than 300 pieces of medical equipment that are vulnerable to
cyber-attacks to their firmware, embedded passwords and weak authentication. They include
surgical and anaesthesia devices, ventilators, drug infusion pumps, patient monitors and external
defibrillators.
8. ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01, The Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT). (13 June, 2013). Retrieved from http://www.gao.gov/products/GAO-12-816
Note the public draft has non-binding recommendations open for the public until
mid-September after ninety (90) days have passed since its June 13th publication. Final rules would
follow and go into effect next year in 2014. The draft itself states that in principle the cybersecurity
requirements should be as least burdensome as practical, while still meeting requirements. Patches
to medical devices for updating cybersecurity would not require FDA approval unless patient safety
is affected. This include Anti-Virus updates.
“Manufacturers should develop a set of security controls to assure medical device
cybersecurity to maintain the information’s [data] confidentiality, integrity, and availability. This
goal of avoiding compromised device functionality implicitly includes data at in-motion on the
network and at-rest on the medical devices.”
9. GAO. MEDICAL DEVICES, FDA Should Expand Its Consideration of Information Security for Certain Types of
Devices (31 August, 2012). Retrieved from http://www.gao.gov/products/GAO-12-816
10. Marianne Kolbasuk McGee, “Medical Device Security: A New Focus, Former Presidential Privacy Adviser
Addresses Mobile Security (15 April, 2012) -
http://www.healthcareinfosecurity.com/interviews/medical-device-security-new-focus-i-1882
11. Abiy Desta, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Draft
Guidance for Industry and Food and Drug Administration Staff" (14 June 2013) -
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
12. Op. Cit GAO
13. Darren Pauli, "Patient Data Revealed in Medical Device Hack", (17 Jan 2013) -
http://www.scmagazine.com.au/News/329222,patient-data-revealed-in-medical-device-hack.aspx
14. Ransdell Pierson, Jim Finkle.,"FDA urges protection of Medical Devices from Cyber Threats" (13 June 2013) -
http://www.reuters.com/article/2013/06/14/us-devices-cybersecurity-fda-idUSBRE95C1IB20130614
6. Prior FDA Cybersecurity guidance:
Since medical devices that were not originally designed with networking capabilities were
isolated from the growing number of hospitals with local area networks (LAN) running TCP/IP
their usefullnes was seen as diminished. Hospitals wanted more capabilities without buying totally
new expensive medical devices. Manufacturers responded by connecting their medical devices
with computer workstations running TCP/IP. This was important as the use of digital imaging of
patient radiological (X-Ray & CT) and ultrasound images became more prominent.
The FDA responded with it draft report the "Cybersecurity for Networked Medical Devices
Containing Off-the-Shelf (OTS) Software,” issued on January 14, 2005. It noted that manufacturers
would generally not be reportable as a correction or removal under 21 C.F.R. part 806, “because
most software patches are installed to reduce the risk of developing a problem associated with a
cybersecurity vulnerability and not to address a risk to health posed by the device". The FDA was
setting boundaries on liability for software patches to enhance safety without penalty to medical
device manufacturers. It was an important and needed step for medical device cybersecurity.
Risk Analysis:
Below is a list of the risk analysis that the FDA's cybersecurity was invoking using many of
the concepts found in the NIST special publications for cybersecurity. Note the documentation
requirements are generic to many risk analysis at the design stage. Building security into a product
at the design stage is always considered cheaper, more reliable and manageable. Bolting on security
solutions or compensating controls after a product launch is more expensive and difficult to defend
against highly skilled hackers.
Under FDA 21 CFR 820.30(g) the risk analysis includes three requirements. First
Identification of assets, threats, and vulnerabilities and the impact assessment of their exploit
probability. Next the determination of risk levels and suitable compensating controls. Finally the
residual risk assessment and risk acceptance criteria for the medical device must be included to
complete the risk analysis.
- Intentionally left blank -
7. Security Capabilities
Access Controls
• Remove “hardcoded” passwords (those that can not be changed)
• Limit Access to Trusted Users who are authenticated with multi-factor authentication
• Employ role based access control with time limited user sessions
• Physical locks on devices must be used and on their communication ports when possible
15. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments
/UCM356190.pdf
Incident Response
Ensuring Trusted Content is another requirement. Trusted software or firmware updates with
strong authentication is the foundation for this functionality. This leads to software whitelisting,
blacklisting (anti-virus), and secure software code signing becoming part of the security design.
This will also require secure data transfers to and from the medical device using encryption and
with authentication, authorization and accounting (AAA).
While people and processes are listed as parts within the scope of the solution. The creation
of a customer notification system that is standarized, procedurized and accessible to the hospital IT
staff so that authorized users can download the correct dentifiable software and firmware updates
from the manufacturer in cases of incident responses.
Note that the range of security for existing devices and their current design will limit their
security capabilities. For example implantable medical devices use simple PIN codes similar to a
bank ATM. Smartphone and tablets have more computing power and can support encryption with
authentication, authorization and accounting (AAA).
Use Fail-Safe and Recovery Features
The FDA specifice the mplementation of fail-safe device features that protect the device’s
critical functionality, even when the device’s security has been compromised. These features allow
for security breaches to be recognized, logged, and acted upon. Also it provide methods for forensic
retention and recovery of device configuration by an authenticated system administrator. This
allows the medical technician, or clinical staff to ramp down a treatment or examination for patient
safety when notified of a security breach.
8. Logging
Today major diagnostic and radiological examination devices are often remotely monitored
by medical device manufacturers for maintenance purposes. Mobile medical devices will need
added capacity for logging more diagnostic data. While medical implants such as pacemakers and
insulin pumps have very limited logging capabilites. Therefore forensic investigation using device
logging will vary depending on the medical devices.
16. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments
/UCM356190.pdf
Forensics
Forensics data and evidence now must be captured within the medical device manufacturer's
Hazard Report which will be produced when any medical device incident occurs. This is an
existing standard report. So, the forensics will only need to be appended to the medical
manufacturer's FDA complaint handling processes. This will drive demand for greater numbers of
medical device forensic specialist by manufacturer's. HIPAA Privacy rules many be in conflict with
the forensic rules unless addition compensating privacy controls are put into place.
Cybersecurity Design Documentation
The 501(K) premarket submission by the medical device manufacturers should provide
attestment with supporting documentaton of the cybersecurity design of their medical device.
Rather than going over each requirements which is highly redundant; we will highlight the most
critical areas not covered earlier. This will better serve the reader.
1. Hazard analysis, mitigations, and design
This documentation considers both intentional and unintentional cybersecurity risks
associated with the medical device under review. This is an important liability issue as the
definition for unintentional risks will need clarification in the future. Does the principal of
unintended consequences (R. Merton) come into scope? Every Security design is a trade off
between usability and security. How will the FDA judge this as unintend risks are not the ones
intended by the medical device's purposeful design elements?
17. Merton, Robert K."The Unanticipated Consequences of Purposive Social Action". American Sociological Review 1
(6): 895. August 21, 2013.
http://www.d.umn.edu/cla/faculty/jhamlin/4111/2111-home/CD/TheoryClass/Readings/MertonSocialAction.pdf
9. 2. Security Requirements Traceability Matrix
The key document for the Hazard analysis, mitigations, and design process will be the
Traceability Matrix (Security Requirements Traceability Matrix ) document. It will link the actual
intentional and unintentional cybersecurity controls to the cybersecurity risks that were considered
at the time of design. The security requirements traceability matrix (STRM) should identify all IT
security requirements for the medical device's design per the FDA. In addition it will map the the
requirements to the existing IT security policy framework of the medical device manufacturer.
Lastly it should serve as an IT policy assessment checklist for internal and external auditors.
18. The Institute of Internal Auditors (2008). 12 Steps to IT Security Compliance. Gap News,3(1). Retrieved from
http://www.theiia.org/gap/index.cfm?act=GAP.printa&aid=2464
Anti virus (AV)
The FDA has called for an end to the tug-of-war between hospitals and medical device
manufacturers over anti virus software. Higher pricing for customized anti virus software from
manufacturers was justified by FDA safety mandates per manufactures to avoid damage to the
device's operation while patients are being treated. However many hospitals and clinics have had
their own anti virus contracts under theirr own central administration. Now the FDA is mandating
that detailed instructions for the end-user operations and product specifications related to
recommended anti-virus (AV) software and any device firewall settings. This includes both the
manufacturer's recommended use of anti-virus software safely. It also includes how the hospital
should use and operate their own anti-virus software safely equally. Again the issue of liability in
case of an AV infection by a hospital using the manufacturer's instructions for third party AV
software will have to be resolved by the FDA or a court of law later.
Summary:
The FDA's guidance raises the standard for cybersecurity and risk management for the
medical devices. Newer devices sold starting in 2014 and afterward when the final cybersecurity
guidance takes effect will over time phase out older less secure networked medical devices. The
FDA's goal of managing the medical device's cybersecurity product life-cycle from design to
operation to disposal is timely and needed. Overtime this standard may become de facto for
purchasers world wide of networked medical devices.
PAINS, (privacy, availability, authentication, integrity, non-repudiation and safety) will
become key components of the medical devices security risk analysis. It will serve to reinforce the
scope of patient and device risks. It can be expected that the FDA cybersecurity guidance will
strengthen the HIPAA Privacy Rule and Security Rule in the areas of risk analysis and mitigation
also. Though a work in progress it presents another avenue of reducing the attack surface of the
medical operations for hospitals and clinics.
Therefore the increased cybersecurity of medical devices that the FDA is working on in its
draft guidance is a positive for reducing risk to patients and their privacy. Hospitals and medical
device manufacutrers will have to establish new processes and procedure to communicate and work
together to create a successful transformation. This convergence of security, risk management and
secure product design may be seen as a future model of cybersecurity for other regulated industries.
10. 19.”FDA Safety Communication: Cybersecurity for Medical Devices and hospital Networks”,
(6 June 2013) - http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
20. Sloane, Elliot B. (PAINS) “Medical Device Security HITECH-AARA and FDA related Security
Issues”-NIST/OCR HIPPA Conference, (11, 12 May 2010) –
http://csrc.nist.gov/news.../HIPAA.../1-4-health-devices-sloane-drexel.pdf