'Recommendations for Smart, Safe and Secure Interactions'
The guidance "outlines our recommendations for smart, safe and secure interactions among medical devices and other information systems," Bakul Patel, associate director for digital health in the FDA's Center for Devices and Radiological Health, notes in a blog announcing the new guidance.
The guidance highlights an important consideration when it comes to medical devices, says Mac McMillan, president of security consulting firm CynergisTek. "It's important to not only protect the data while at rest on the device, but also as it transmits that data from device to network/application," he says. "Poorly architected transfer mechanisms can put the information at risk as well as the system."
Recommendations for Device Makers
Patel notes that FDA's guidance specifically recommends that all medical device manufacturers:
- Design their devices with interoperability as an objective;
- Conduct appropriate verification, validation and risk management activities;
- Clearly specify the relevant functional, performance and interface characteristics to.
"When premarket submission to the FDA is required, this guidance provides clarity and recommendations for what information on interoperability should be included in a manufacturer's premarket submissions," Patel notes, adding that FDA's "first concern ... is safety."
"Errors and inadequate interoperability, such as differences in units of measure - for example, pounds vs. kilograms - can occur in devices connected to a data exchange system," Patel writes. "Our guidance recommends appropriate functional, performance and interface requirements for devices with such interactions."
Failure to develop and provide this information to the user "may lead to an inappropriate use of the device interface in a way that can lead to device malfunction, including the failure to operate and may lead to patient injury and even death," he notes.
Risk Management Considerations
The guidance urges manufacturers to take a risk management approach to medical device interoperability.
For instance, the FDA guidance states: "An electronic interface on a medical device may have an impact on risk management considerations including security for the medical device, the network and other interfaced devices. Analysis of risks due to both the intended and unintended access of the medical device through the interface should be considered."
The FDA adds that it "recognizes that managing interoperable medical devices includes balancing how to allow intended access while implementing security features to restrict unintended access to the medical devices."
The agency recommends that manufacturers, in their risk management approach, focus on "the potential hazards, safety concerns and security issues introduced when including an electronic interface."
For example, as part of the evaluation and design process, the FDA says manufacturers should consider whether:
- Implementation and use of the interface degrades the basic safety or risk controls of the device;
- Implementation and use of the interface/interfaces degrades the essential performance of the device;
- Appropriate security features are included in the design;
- The device has the ability to handle data that is corrupted or outside the appropriate parameters.
"The thing I like best about this guidance is that for premarket submissions they are actually asking the vendor to explain the security around these areas of the device, as well as asking for a risk assessment and evidence of testing to demonstrate these features work as expected," McMillan says.
Increasing Security Focus
The new guidance "is illustrative of the FDA's increasing focus on security," says Bob Chaput, president of the security consultancy Clearwater Compliance.
In recent years, the FDA has issued several guidance documents aimed at raising the attention to cybersecurity issues for devices.
In the latest interoperability guidance, Chaput, says, "I especially like the focus on the risk-based approach," which the FDA also used in collaborative work with the National Institute of Standards and Technology in developing draft guidance for securing wireless infusion pumps.
Medical device interoperability as it pertains to the security is an important issue, Chaput notes. "My security concerns stem more from overall medical device management - think: deployment management, inventory management, configuration management, change management, problem management, etc. - and the proliferation of devices operating as medical devices - think patient monitoring apps on iPhones," he says. "Interoperability intersects with all these basic device management requirements."
Chaput says many healthcare technology leaders, including CIOs and biomedical engineering managers, "struggle with items as basic as having a complete, up-to-date and perpetual inventory of IoT devices, including biomedical devices. At the end of the day, it gets back to risk assessments and risk management."
Unfortunately, federal regulators at the Department of Health and Human Services Office for Civil Rights have found that "healthcare delivery organizations are failing to perform accurate and comprehensive risk assessments and risk management on traditional IT systems/assets, not to mention medical devices and other critical infrastructure IoT devices such as facilities, security and building management systems," he notes.
Pros and Cons
Chaput says he's pleased that the new guidance includes an entire section devoted to risk management. "The section underscores the connection between cyber risks and patient safety," he says. But the section should have included a reference to the NIST Cybersecurity Framework, he argues.
"While how one performs a risk assessment will vary from traditional IT assets to biomedical devices to other IoT devices in the healthcare ecosystem, the need to perform risk assessments and risk management is clearly cited as a critical what one needs to do in the NIST CSF," he says.
One important feature about the guidance is bothersome, McMillan contends.
"The real problem with this guidance are the bolded italicized words at the top of every page [that says,] 'Contains Nonbinding Guidance,' [meaning] it does not require [manufacturers] to comply," he notes. "At the end of the day, good guidance, but no real ground gained in solving the problem."
About the Author
Executive Editor, HealthcareInfoSecurity
Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.