We’ve all seen headlines about the growing numbers of medical devices being infected by malware. Recently, the Wall Street Journal reported at least 327 devices at Veterans Affairs (VA) hospitals have been compromised since 2009. Taking action, the U.S. Food and Drug Administration (FDA) is urging device manufacturers and health care facilities to be more vigilant about securing devices per the agency’s notice and guidance documents on cybersecurity.
In an unprecedented move, the FDA is asking medical device manufacturers to address cybersecurity issues before they apply for FDA approval. The FDA wants manufacturers to use their intimate knowledge of their devices to identify the risks and hazards associated with them. And since it’s impossible to put all the potential issues to bed, manufacturers are expected to implement measures, like fail-safe modes, to address patient safety and assure proper device performance.
When preparing premarket submissions for the FDA, medical device manufacturers need to show how they have put certain controls in place, including:
- Restrict unauthorized users: Identify trusted users by implementing robust user authentication like biometrics and strong passwords.
- Provide timely security patches: Deploy routine security updates to medical devices and address vulnerabilities in older devices with legacy operating systems.
- Use Fail Safe and Recovery Features: Design in fail-safe modes that protect the device’s critical functionality, even when its security has been compromised.
- Ensure Trusted Content: Restrict software or firmware updates to authenticated code.
Protecting Against the Unknown
The FDA wants device manufacturers to recommend the types of anti-virus software and/or firewalls health care facilities should use. Moreover, the FDA is asking manufacturers to report medical device security risks, one of which could be vulnerability to zero-day attacks. That’s because zero-day attacks can be difficult to defend against since typical security solutions, like anti-virus (AV), are reactive, not pre-emptive
McAfee is already working with device manufacturers to stop zero-day attacks by implementing McAfee® Embedded Control. This solution maintains a carefully controlled list of permitted, trusted code (i.e., whitelist) that is allowed to execute, while unknown or unauthorized software is prevented from running. For instance, whitelisting can prevent the execution of malware – like the notorious Conficker virus – by controlling what runs on a medical device and protecting its memory.
The cybersecurity notice issued by the FDA will certainly encourage device manufacturers to have more in-depth discussions about security with their customers. It may be worthwhile for manufacturers to sit down with security solution vendors ahead of time to get a better understanding of the latest technologies before seeking FDA approval.