On September 23, 2023, the FDA released a new guide exploring best practices for securing medical devices.
The new guide includes 50 additional pages detailing best security principles relevant to today’s institutions.
This guide covers security at various stages of medical product release, from pre-market submission to ongoing protection of new and old devices.
What’s New in FDA Cybersecurity Guidance in 2023 What should medical institutions know?
Old guide details
Guide published in 2014also known as Contents of pre-market application regarding cybersecurity management of medical devices We focused on what manufacturers should consider when producing and launching medical devices.
This is a reminder that cybersecurity is a shared responsibility. This means manufacturers, patients, stakeholders, and healthcare facilities must follow security best practices.
Security practices vary from guide to guide, but a common tip not covered in older guides is the importance of threat identification, detection, response, and recovery.
We also focus on restricting access to trusted users. For manufacturers, it covers all the standards and documents they need to be aware of during the pre-market application stage.
This innovative guide goes into more detail and suggests more specific security solutions for manufacturers and healthcare facilities.
New FDA Cybersecurity Guidance
new guide, Medical device cybersecurity: quality system considerations and premarket submission content Learn more about security instructions.
Learn how to design medical devices with security in mind, manage cybersecurity risks, build a cybersecurity architecture that makes sense for your facility, and constantly test for security.
For example, we remind manufacturers of the importance of specific measures such as:
- strong authorization
- Enhanced encryption
- Robust event and data logging
- Improved data and code integrity within the device
- Regular software and firmware updates for existing devices
Like the old guide, the 2023 edition states that these are suggestions on how to create a secure environment and protect your devices.
IoT security for older devices
A new guide provides more specific advice on securing legacy IoT technology. Also known as the Internet of Things, this technology is a core part of all smart technology.
Securing IoT devices comes with its own set of challenges. Smart technology is known to be insecure due to default passwords and security restrictions due to its compact size.
However, the biggest challenge is securing legacy IoT components. Think back to old surveillance devices, RFID technology, and early dispensing systems.
To keep devices secure, healthcare organizations typically rely on patches released by manufacturers. However, if the technology is older, the product may be reaching end-of-life or end-of-life status.
In other words, manufacturers no longer invest in this product or regularly release patches to ensure that users have the most secure and updated version of their device.
Essentially, hospitals can either replace old devices or invest in making them more secure.
How can you tell which is the right decision?
This guide suggests an exploratory and collaborative approach to determining next steps. Areas that need to be studied here include tailored vulnerability management, modular design of medical devices, and the potential benefits of employee training.
Active efforts to ensure the safety of medical devices
Most healthcare facilities are waiting for a patch from the manufacturer. Several months may pass between them. In the meantime, your device may have critical vulnerabilities that hackers could exploit.
Hospitals have had no time at all these past few months. In between scheduled patching, hackers can exploit critical vulnerabilities to obtain sensitive data. Or you can control medical equipment remotely.
This is the main difference between the new guide and the old guide.
In other words, the 2023 document suggests a more proactive approach to cybersecurity. It is considered that cyberattacks occur in real time. New, more sophisticated and damaging types of cyberattacks can unexpectedly compromise hospital assets.
Security must be maintained at all times and constantly monitored for anomalies and defects. Find and fix them before bad actors take advantage of them.
For example, host-based intrusion detection/prevention systems (HIDS/HIPS) are one solution for improving the security posture of medical devices. Continuously monitor surfaces to prevent intrusions in real time.
Tracking events constantly looks for anomalies and prevents devices from being exploited even before the manufacturer provides a patch.
Patient safety is our top priority
In the medical field, patients are most affected by vulnerabilities that hackers can discover within medical devices. In the worst case scenario, the patient’s life may be at risk due to a delay in detecting the weakness.
Many of the devices used in hospitals are IoT-based. Patients rely on smart devices such as his insulin pens, monitoring devices, and health trackers. It is also the most difficult technology to protect.
What does that mean for security?
Educational institutions use smart components that are known to be vulnerable, but they are required because smart devices are designed to communicate with each other.
Although IoT devices are useful, they are also notoriously insecure, as they are difficult to make functional and secure against hacking. This is especially true for older devices that were not designed with security in mind.
The latest edition of our cybersecurity guide has been nearly a decade in the making. Considering how rapidly the field of cybersecurity is changing every year, it would take a long time to create a more comprehensive guide.
New FDA cybersecurity guidance promotes security by providing the latest tips on how to proactively protect defective devices.
Regardless of the type of facility or the medical equipment used within it, the end goal of cybersecurity is the same.
The first step is to protect the patient. It’s about maintaining their trust and making sure they receive the best care.