An American regulatory agency believes medical device manufacturers have to get tougher with IT security on anything that touches the Internet or a wireless network.
The Food and Drug Administration (FDA) issued draft guidelines on Thursday for vulnerabilities that electronic health equipment manufacturers should be addressing about before submitting products for approval.
“The need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information,” the draft document explains.
Failure to maintain cybersecurity can result in compromised device functionality, loss of data availability or integrity, or exposure of other connected devices or networks to security threats, it notes. “These, in turn, have the potential to result in patient illness, injury, or death.”
According to the Washington Post, after hearing comments from industry and the public the guidelines will be finalized and the FDA will have the power to refuse to approve devices if manufacturers don’t provide adequate plans for protecting their devices.
While there has been guidance to makers of networked medical equipment makers on cybersecurity since at least 2005, the draft rules spell out more definitively what they have to do.
Security in medical devices questioned
The general principle manufacturers should follow is the creation of a set of security controls that will maintain information confidentiality, integrity, and availability of medical devices. That means patient information in everything from heart monitors to x-ray machines can’t be altered and is only accessible to authorized persons.
A spokesperson for Health Canada said in an email that Canadians should only purchase medical devices that have been authorized by the department. “During the review of a medical device licence application, manufacturers must demonstrate their devices meet the requirements of safety and effectiveness, and included in this would be evidence of acceptable functioning of the software.” the statement said.
The FDA suggested that in their requests for approvals manufacturers should document how they have dealt with the risks of IT vulnerabilities and the likelihood of it being exploited.
“The extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach,” the FDA said.
Medical devices capable of connecting to another medical device, to the Internet or other network, or to portable media (for example a USB stick or Compact Disk) are more vulnerable to cybersecurity threats than devices that aren’t, the draft recommendations noted.
Manufacturers should also carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use (for example use in the home vs. in a health care facility) to ensure that the security capabilities are appropriate for the intended users.
For example, security controls should not hinder access to the device during an emergency, it said. Similarly, manufacturers should consider if security features will interfere with the ability of healthcare providers to administer necessary care.
Possible security controls include limiting access to devices through authentication like passwords or biometrics, timed session log-offs, layered privileges, physical locks and requiring controls before allowing software or firmware updates.