USA: public FDA discussion document to improve cybersecurity in the maintenance of Medical Devices

The Center for Devices and Radiological Health (CDRH) of the Food and Drug Administration (FDA) has published “Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities” on cybersecurity problems and solutions associated with the maintenance of medical devices.

Public FDA discussion document to improve Cybersecurity in the maintenance of Medical Devices USA
Public FDA discussion document to improve cybersecurity in the maintenance
of Medical Devices

The document intends to gather feedback on the issue from groups and individuals outside the FDA. Stakeholders have until 17 August 2021 to communicate their input, which will lead to a shared document, the result of the commitment and responsibility of all stakeholders.

This document follows on from the 2018 FDA Medical Device Maintenance Report, which was created with the goal of strengthening cybersecurity in the maintenance of Medical Devices.

Four problems, four solutions to improve cybersecurity in the maintenance of medical devices

In the document the FDA identifies the following four areas where it is important to take action to improve cybersecurity in the maintenance of medical devices.

1. Privileged access

Access to a device for maintenance purposes is restricted to specific privileged users (usually designated by the Original Equipment Manufacturer of the device – Original Equipment Manufacturer OEM). Extending access to other users or entities to perform service, maintenance or repair functions introduces cybersecurity risks. For this reason, the FDA recommends that companies define privileged access to the device’s operating systems and applications, as well as implement the use of user authentication and related controls to mitigate these risks.

2. Identify cybersecurity vulnerabilities and incidents

The FDA notes that service providers are able to help identify cybersecurity vulnerabilities and incidents in their early stages, in some cases before the OEMs become aware of these issues. Sharing this information and post-marketing data with appropriate stakeholders (including OEMs and regulatory agencies) could lead to faster identification of cybersecurity threats and incidents.

3. Prevention and mitigation of cybersecurity vulnerabilities

Generally, prevention and mitigation are achieved through software updates. The FDA recommends that device OEMs engage service providers more in maintaining device security by efficiently implementing software updates and fixes to address cybersecurity risks and incidents.

4. Challenges and opportunities of the product life cycle

These areas relate to legacy devices used in healthcare environments beyond their intended life cycle. The legacy devices in question are those that cannot be protected against current cybersecurity threats. For more information, see “Principles and Practices for Medical Device Cybersecurity” (IMDRF). The FDA and other international cybersecurity stakeholders have called for more communication from OEMs when they are no longer able to support software updates and the changes needed to address the cybersecurity risks of devices. Although end-of-life issues of devices can be very difficult to communicate in complex healthcare environments, the FDA recommends the use of liability agreements between OEMs and healthcare facilities for devices that meet acceptable performance criteria when well maintained, but which may cause increasing cybersecurity risks if they are used for an extended period of time.

Would you like to know more about Cybersecurity?

Thema experts are at your disposal for strategic regulatory consulting.

Contact us and find out what we can do for you.

Sources:

Discussion Paper: Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities, FDA, june 17 2021

FDA Report on the Quality, Safety, and Effectiveness of Servicing of Medical Devices, FDA, may 2018