In September 2020, a woman died in Germany after being diverted to an out-of-town emergency room because her local hospital was shut down as it grappled with a ransomware attack. Due to the time-sensitive nature of emergency medicine, with people’s lives hanging in the balance, hospitals have become lucrative targets for cyber criminals. They cannot go without their vital information systems for long before patients suffer harm, which makes it easier for bad actors to obtain ransom payments. Cybersecurity incidents caused by the insufficient ability of medical equipment to resist malware are common worldwide. It becomes crucial to improve the medical devices that come to market to be sufficiently resilient to cybersecurity threats. Healthcare systems and medical devices must be available and functioning properly in order to safeguard health and save lives.
In April 2022, the FDA issued updated guidance for cybersecurity in medical devices, placing it among the top concerns for manufacturers. Legally and ethically, device manufacturers must establish and follow quality assurance procedures to ensure that their products perform as expected. Quality assurance procedures (also known as standard operating procedures) for medical devices are prescribed in 21 CFR Part 820. These must be audited and validated before the FDA will grant clearance for manufacturers to sell their products on the market. Cybersecurity risk management and validation have become a core part of the Secure Product Development Framework (SPDF) under 21 CFR 820.30(g). The new FDA guidance focuses on the premarket approval (PMA) necessary for clearance of crucial medical devices that help sustain human life by preventing injury or illness. Manufacturers must provide sufficient scientific evidence to demonstrate that a device is safe and effective for its intended use(s). This includes proving that it is resilient enough to fend off cybersecurity breaches and similar risks. Manufacturers should include cybersecurity security controls in the design of their medical devices and check that they function properly even under duress.
Overall, the goal is to manufacture safe and effective medical devices that are both trustworthy and resilient. Specific security objectives are: authenticity, authorization, availability, and confidentiality. Devices should be supported by secure and timely updates and patches. Cyber hygiene must be considered when designing a medical device. Each electronic data interface must be protected. Cybersecurity vulnerabilities must be researched and CAPA (Corrective and Preventive Action) measures must be taken to prevent exploits whenever possible. These CAPA measures must also provide security controls and data to support quick incident response during an attack. In order to facilitate this, cybersecurity testing is emphatically recommended for all devices. Verify that the input controls do not allow malicious character strings. Perform boundary analysis to prevent memory overflow crashes. Test how medical devices behave when they receive malicious network traffic. Put the medical device under attack from known vulnerabilities and perform penetration testing to discover potential exploits. Investigate how easy it is for default passwords to be used to attack the device.
Third-party software components including proprietary and open-source libraries must also be checked. Previously, manufacturers used the Design History File required by 21 CFR 820.30(j) and the Design Master Record required by 21 CFR 820.181 to record the processes and security controls used by suppliers to meet the manufacturers’ requirements. A machine readable Software Bill of Material (SBOM) is also recommended. A SBOM lists all the software components, along with upstream dependencies. The goal is to develop a system for automatically checking the SBOM for cyber threats and quickly wiping out malware from the manufacturing plant.
It is of utmost concern that patients be protected from harm. Deployment instructions and labeling must be transparent so that healthcare workers know how to implement the device within their own cybersecurity risk management frameworks, such as the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, generally referred to as the NIST CSF. The FDA recommends that cybersecurity metrics track the percentage of vulnerabilities that are patched and the amount of time between finding a vulnerability and patching it. The time between receiving notification that a patch or update is available from the manufacturer and the patch’s implementation on the device should also be determined and recorded.