Medical devices have come under increased scrutiny for security issues in recent years as the healthcare field has grown more reliant on software-based tools. In response to mounting concerns and intensifying threats, the U.S. Food and Drug Administration recently released an advisory notice addressing cybersecurity for medical devices and hospital networks. By taking steps to secure devices and healthcare facilities at the software development and network security levels, those in the industry can reduce the risk of harmful attacks.
The safety communication comes nearly one year after the U.S. Government Accountability Office released a recommendation that the FDA expand its consideration of information security risks. That report noted that the FDA had overlooked many security controls when approving certain devices and had placed more of an emphasis on functionality.
Later in the year, a Washington Post investigative report concluded that the healthcare sector was among the most vulnerable to hackers due to its inattention to information security and high number of software security vulnerabilities. One challenge cited in improving healthcare cybersecurity was the confusion surrounding FDA policies, particularly with regard to making changes such as security patches to approved systems.
Memo of clarity
The recent FDA memo addresses such issues explicitly and provides a basic framework of recommendations for improving cybersecurity. Noting that it is not aware of any patient injuries or deaths due to software security incidents, the agency nonetheless highlighted the threats facing users of medical devices.
“Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches,” the memo stated. “In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.”
In particular, the agency cited the prevalence of malware on medical devices, as well as on smartphones, tablets and computers connected to hospital networks. Additionally, its bulletin highlighted a lack of timely security updates to medical devices, a failure to address vulnerabilities in legacy equipment and a high number of zero-day vulnerabilities in off-the-shelf medical software.
Strengthening device security
The FDA noted that device manufacturers are responsible for identifying risks – including cybersecurity risks – facing their devices and including security controls. Since many medical devices contain configurable embedded software, proactively mitigating breaches is essential. Such controls will vary depending on the device and the environment in which it is designed to operate, but considerations should include methods to limit access to authorized users and design approaches that maintain core functionality even if security is compromised.
“The FDA expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices,” the agency stated. “Specifically, we recommend that manufacturers review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device.”
Additionally, the FDA recommended that manufacturers release timely, validated security patches and restrict updates to authenticated code. In particular, the agency noted that it does not need to review or approve device software changes that are made for the purpose of strengthening cybersecurity, a common misunderstanding that many have cited as an impediment to addressing the problem.
At the same time, the FDA noted that it has released draft guidance on how manufacturers should handle cybersecurity when preparing their devices for market, and FDA standards on software security are likely to continue evolving as the issue becomes more prominent. To ensure medical devices limit security risks and continue to meet cybersecurity expectations, manufacturers can employ tools such as static analysis software, helping them catch bugs prior to release and mitigate the risk of a security breach.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.