New FDA Guidance on Effective Cybersecurity Management for Medical Devices

By James Kalbfleisch, Applications Engineer III

Due to new requirements for Electronic Health Records (EHR) generation and storage, hospitals and clinics are looking for more efficient and reliable methods to deliver that data to online record repositories. As a result, medical device manufacturers are being asked to incorporate wireless connectivity into their products.

The FDA has traditionally fulfilled the role of improving patient safety by painstakingly regulating the myriad of devices used to diagnose and treat patients. In this role, they are taking a growing interest in safeguarding the patient data that is being generated and communicated by those tools. Therefore, there is an urgent need for device manufacturers to adhere to this growing set of guidelines and best practices before they bring new products to market.

The FDA requires classification of medical devices into three separate groups based on the risks associated with that device. For more information on the classification of medical devices, see our previous blog post, Classes of Medical Devices. In addition to the classification of those products, manufacturers are required to make premarket submissions for those devices before they can be commercially sold.

The following must be addressed in the premarket submissions in accordance with the new guidelines:

1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device, including:
   • A specific list of all cybersecurity risks that were considered in the design of the device
   • A specific list and justification for all cybersecurity controls that were established for the device
2. A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks that were considered
3. A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness
4. A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer
5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall)

New bugs and hacks are being reported in the media on a daily basis. No system, network, or device is 100% safe from an attacker, so it is necessary to be vigilant in identifying risks, swift in addressing real threats, and proactive in determining the right strategies to limit future vulnerabilities.

Medical device manufacturers should look for wireless module providers that diligently update their software with security patches as soon as a new threat is discovered. A company's timely response to new cybersecurity threats can significantly reduce exposure of patient data to malicious attacks. Device makers must also ensure the wireless solutions they choose to embed into their mobile medical devices are equipped with the latest certifications and offer top of the line security feature sets like WPA2-Enterprise security and FIPS 140-2 certification. They should seek a partner with the experience, scale and knowledge to assist them in complying with the new FDA guidelines.

As a provider of enterprise-grade wireless solutions for Wi-Fi and Bluetooth, Laird offers best-in-class, medical appropriate, secure and reliable wireless connectivity. Laird has the experience and scale to assist customers in navigating the new FDA requirements. The new FDA guidelines are a positive step towards guaranteeing the integrity and privacy of personal patient information and Laird applauds this move by the FDA. For more on wireless technology in hospitals, visit the Connected Hospital webpage.