On September 23, 2023, the FDA released a new guide that explores the best practices for securing medical devices.
With 50 extra pages, the new guide elaborates more on the best security principles relevant to institutions today.
The guide covers security in different stages of medical product release — from premarket submissions to continually securing old and new devices.
What’s new in 2023 FDA cybersecurity guidance that medical institutions should be aware of?
Elaborating on the Old Guide
The guide issued in 2014, also known as Content of Premarket Submissions for Management of Cybersecurity in Medical Devices focused on what manufacturers should consider when creating and releasing medical devices.
It reminds us that cybersecurity is a shared responsibility. That is, manufacturers, patients, stakeholders, and medical facilities should follow the best security practices.
While security practices will differ from one guide to another, general tips that the old guide glosses over are the importance of identification, detection, response, and recovery from threats.
Also, it focuses on limiting access to trustworthy users. For manufacturers, it goes over all the standards and documentation they have to be aware of in the stage of premarket submissions.
The novel guide goes into more detail and suggests more concrete security solutions for manufacturers and medical facilities.
The New FDA Cybersecurity Guidance
The new guide, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions goes deeper into the security instructions.
It suggests how to design medical devices with security in mind, manage cybersecurity risks, build a cybersecurity architecture that makes sense for the institution, and test security at all times.
For instance, it reminds manufacturers of the importance of specific measures such as:
- Strong authorization
- Enhanced cryptography
- Robust event and data logging
- Better data and code integrity within devices
- Regular updates of software and firmware of existing devices
Similar to the old guide, the 2023 version notes that these are suggestions on how to create a secure environment and protect devices.
IoT Security for Older Devices
The new guide offers more concrete advice on protecting legacy IoT technology. Also known as the Internet of Things, this technology is the core part of any smart technology.
Protecting any IoT devices comes with a set of challenges. Smart technology is known to be insecure because of default passwords and security limitations due to its compact size.
However, the greatest challenge is the protection of legacy IoT components. Think old monitoring devices, RFID technology, or early dispensing systems.
To keep devices secure, medical institutions typically rely on patches released by the manufacturer. However, if the technology is older, the product might have reached its end-of-life or end-of-support stage.
In other words, the manufacturer no longer invests in this product or releases the patches regularly to ensure that the users have the most secure and updated version of the device.
Essentially, hospitals can either replace the outdated devices or invest in better security for them.
How can you tell which is the right decision?
The guide suggests research and a collaborative approach to decide on the next steps. Some areas that need to be studied here are coordinated vulnerability management, modular design of medical equipment, and the potential benefits of training the workforce.
Proactive Approach to Securing Medical Devices
Most medical institutions wait for patches from manufacturers. Months can pass between them. In the meantime, devices could have critical vulnerabilities that hackers might exploit.
These are months hospitals simply don’t have. In between scheduled patching, hackers can exploit critical vulnerabilities that might allow them to obtain sensitive data. Or gain remote control over a piece of medical equipment.
This is the key difference between the new and older guides.
That is, the 2023 document suggests a more proactive approach to cybersecurity. It takes into consideration that cyberattacks happen in real-time. New kinds of cyberattacks, more advanced and damaging, can unexpectedly compromise the assets of a hospital.
Security has to keep up — and look for anomalies and flaws at all times. Find and fix them before a bad actor misuses them.
For example, Host-based Intrusion Detection/Prevention Systems (HIDS/HIPS) is one solution for improving the security posture of medical devices. It’s continually monitoring the surface to prevent intrusions in real time.
It seeks for anomalies at all times by tracking the events and makes sure that the devices are safe from exploits even before the manufacturers provide patches.
Prioritizing the Safety of Patients
In the medical field, vulnerabilities that a hacker might uncover within the medical equipment affect patients the most. In the worst-case scenario, weaknesses discovered late can put patients' lives at risk.
A large number of devices that hospitals use are IoT-based. Patients rely on devices such as smart insulin pens, monitoring devices, and health trackers. This is also the most challenging technology to protect.
What does that mean for security?
Institutions use smart components that are known to be vulnerable, but they’re a necessity because they need these smart devices designed to communicate with each other.
IoT devices are convenient but also notoriously insecure because it’s challenging to make them functional and safe against hacking. This is especially true for older devices that aren’t even designed with security in mind.
The latest version of the cybersecurity guide has been almost 10 years in the making. This is a long time for a more comprehensive guide, considering how fast the field of cybersecurity changes every year.
New FDA cybersecurity guidance facilitates security by offering the latest tips on how to proactively protect flawed devices.
Regardless of the type of institution and medical equipment used there, the ultimate goal of cybersecurity is the same.
First and foremost, it’s about protecting the patients. It’s about retaining their trust and making sure they receive the best care.
