By James Kalbfleisch, Applications Engineer III

EHRs_FDA_Cybersecurity_connected hospitalDue to new requirements for Electronic Health Records (EHR) generation and storage, hospitals and clinics are looking for more efficient and reliable methods to deliver that data to online record repositories. As a result, medical device manufacturers are being asked to incorporate wireless connectivity into their products.

The FDA has traditionally fulfilled the role of improving patient safety by painstakingly regulating the myriad of devices used to diagnose and treat patients. In this role, they are taking a growing interest in safeguarding the patient data that is being generated and communicated by those tools. Therefore, there is an urgent need for device manufacturers to adhere to this growing set of guidelines and best practices before they bring new products to market.

The FDA requires classification of medical devices into three separate groups based on the risks associated with that device. For more information on the classification of medical devices, see our previous blog post, Classes of Medical Devices. In addition to the classification of those products, manufacturers are required to make premarket submissions for those devices before they can be commercially sold.

The following must be addressed in the premarket submissions in accordance with the new guidelines:

  1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device, including:
    • A specific list of all cybersecurity risks that were considered in the design of the device
    • A specific list and justification for all cybersecurity controls that were established for the device
  2. A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks that were considered
  3. A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness
  4. A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer
  5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall)

New bugs and hacks are being reported in the media on a daily basis. No system, network, or device is 100% safe from an attacker, so it is necessary to be vigilant in identifying risks, swift in addressing real threats, and proactive in determining the right strategies to limit future vulnerabilities.

Medical device manufacturers should look for wireless module providers that diligently update their software with security patches as soon as a new threat is discovered. A company’s timely response to new cybersecurity threats can significantly reduce exposure of patient data to malicious attacks. Device makers must also ensure the wireless solutions they choose to embed into their mobile medical devices are equipped with the latest certifications and offer top of the line security feature sets like WPA2-Enterprise security and FIPS 140-2 certification. They should seek a partner with the experience, scale and knowledge to assist them in complying with the new FDA guidelines.

As a provider of enterprise-grade wireless solutions for Wi-Fi and Bluetooth, Laird offers best-in-class, medical appropriate, secure and reliable wireless connectivity. Laird has the experience and scale to assist customers in navigating the new FDA requirements. The new FDA guidelines are a positive step towards guaranteeing the integrity and privacy of personal patient information and Laird applauds this move by the FDA. For more on wireless technology in hospitals, visit the Connected Hospital webpage.

4 Responses to New FDA Guidance on Effective Cybersecurity Management for Medical Devices

  1. This was much needed as the guidance will only improve a much needed culture in the information security and healthcare arena regarding cybersecurity initiatives. Cyber security threats are going to continue to grow in the coming years, so it’s highly essential that companies start securing their entire digital infrastructure, which begins by putting in place information security policies and procedures, provisioning and hardening of such systems, and then undertaking comprehensive security awareness training for employees. Call it the 3-point stance for protecting your organization. The problem is that most companies have (1). Outdated policies (2). Don’t have formalized procedures and checklists for hardening their information systems, and (3) do little or nothing when it comes to security awareness training. This won’t cut it in today’s world, so it’s time to get serious about information security.

  2. This will be interesting to see what the effect on HIPAA compliance will be. Regardless, provisioning and hardening is without question one of the most important measures for helping ensure the safety and security of critical information systems. After all, how good is anyone’s security posture if no initiatives have been undertaken for locking down and hardening firewalls, routers, servers, applications and other critical hardware and software solutions? As a security auditor, I find that many companies – regardless of industry or size – have little or no documentation for such practices, which is not good at all, and it’s time this changes. After all, there are untold numbers of free and very cost-effective hardening checklists online that can be easily download and used immediately.

  3. Jordan Manser says:

    Your feedback absolutely emphasizes the regulatory issues that must be addressed, increasingly so moving forward and into the future. It is critical for hardware and software providers to update their policies to match these more formal standards and make sure that all relevant personnel are serious about adopting and enforcing them. The note about training and more comprehensive documentation will certainly help organizations to better understand and address cyber-security issues. From an engineer’s perspective, security compliance should be a critical part of product and service development from the beginning, rather than an afterthought. Unfortunately, an issue that organizations will likely face is encouraging engineering and project management or managers to collaborate before interfacing with auditors. Hopefully compliance to these new FDA guidelines will better protect patient personal information and improve patient safety.

    – James Kalbfleisch

  4. glowmoon2015 says:

    Thanks for your response back to the e mail address

Leave a Reply

Your email address will not be published. Required fields are marked *

Real Time Analytics