Vague FDA Guidance Not Helping Cybersecurity Challenges

By Maria Fontanazza
No Comments

Cybersecurity considerations must be part of the design and implementation process.

It’s been about a year since FDA released its guidance document for cybersecurity in medical devices. As the number of networked devices and mHealth technologies increases, companies will continue to be challenged to address privacy and security vulnerability concerns. In a Q&A with MedTech Intelligence, Delmar Howard, mHealth program manager at Intertek and Erik Reynolds, consultant, electrical/wireless at the company, share their insights on some of the issues that device manufacturers experience related to product security, software, and other networking vulnerabilities.

Delmar Howard, Intertek
Delmar Howard, mHealth program manager at Intertek

MedTech Intelligence: What are the biggest challenges that medical device and diagnostic manufacturers face in product security?

Howard/Reynolds: The FDA’s cybersecurity guidance has left a general lack of understanding of what’s required. Problems arise because manufacturers want specific actions to perform; but because of the nature of cybersecurity, there are no concrete policies that will protect every product equally. A manufacturer could go down one path and apply what they feel is appropriate, only to have the FDA says it’s not right. This is particularly true for existing devices in the market, making some manufacturers reluctant to initiate a cyber review. This is partly due to cybersecurity not being emphasized during initial implementation, which often means a redesign of a product or adding more software onto legacy devices.

Read Delmar Howard’s article, “Mobile Apps in the Medical Device Industry: Safety, Security and Patient Privacy” in MedTech IntelligenceFor new devices, the vague guidance has led to confusion and uncertainty. Part of security depends on a medical device’s integration with the hospital network. It’s challenging to know where a manufacturer’s product responsibility stops and the hospital network/IT team takes over. Threats can take many forms from devices that aren’t necessarily compatible. For example, when two devices are used but each use a slightly different protocol, one device may send the data HTTP Secure (https), while the target device receives and stores the information unencrypted, thus breaking the security structure. This is why it’s important to bring in a partner who can help define a security plan for your specific device or network.

MTI: Are you seeing increased vulnerability with certain devices?

Howard/Reynolds: It’s not so much an increased vulnerability as it is an awareness of the vulnerabilities, especially with legacy devices. A breach could potentially occur for any number of reasons from a variety of sources. One particular challenge is how malicious code can find its way into a medical device. It could present itself in a patch or in any device with communication means. This is a latent security issue that’s challenging to defend.

Erik Reynolds, Intertek
Erik Reynolds, consultant, electrical/wireless, Intertek

MTI: What problems arise when device manufacturers use off-the-shelf (OTS) software in their networks?

Howards/Reynolds: The challenge with OTS software is that it isn’t normally specifically geared toward a product; it’s a one-size-fits-all solution that needs to be customized or changed for a proprietary system. Vulnerabilities within OTS software can leave your medical device vulnerable. You can’t know if the vendor has done its cybersecurity job properly. Updates also provide a means for someone malicious to get into the system, and there may be unused portions of the software still on and running, allowing others to gain access to a device and its data. For example, certain ports may be required to be opened that were not designed to be, giving malicious intenders space to exploit. Part of security is keeping things open only when necessary.

MTI: What role does cost play in how device companies implement solutions to safeguard/protect their devices from unauthorized access?

Howard/Reynolds: The biggest question people ask is “How secure is enough?” There is no such thing as 100% safety and security, so it’s difficult to know when enough has been invested in the process. It’s best not to take a one-and-done approach with cybersecurity. Cybersecurity needs to be part of the design and implementation process. If vulnerabilities are found after a manufacturer has already made all of the large design decisions, it could mean starting over or having to significantly alter your device costing time and money.

Attend the MedTech Intelligence mHealth for Medical Device Manufacturers conference | February 3-4, 2016 | Washington, DC | Attend in person or virtually LEARN MOREMTI: Briefly discuss Intertek’s 6-Point Security Check. What type of resources and expertise are required to implement it?

Howard/Reynolds: Intertek’s 6-Point Security Check is targeted for a segment on the connected device ecosystem: the web server and back end network. The security check is a low-cost way for device manufacturers to identify potential issues with network security and comply with FDA’s cybersecurity guidelines. This isn’t to say that companies shouldn’t be conducting a full security audit. Intertek works with companies to review documentation, server architecture and diagrams, and come up with full feature security review based on documentation. If a company doesn’t have this documentation or only limited documentation, Intertek conducts a discovery process to create it and reveal potential vulnerabilities.

In general, people are thinking product compliance when they think cybersecurity. The challenge lies in understanding where your product lives in the connected ecosystem. This requires a systems approach, not a product approach.

About The Author

Maria Fontanazza, MedTech Intelligence