So following the recommendation obviously means designing in from the start the capability to patch and update vulnerabilities throughout the life cycle.
The FDA also addresses what has been one complaint of manufacturers – some critics call it an excuse – that if they update a device, they have to go through a certification process again.
The new guidance makes it clear that routine patches and updates don’t need to be reported or reviewed by the FDA. Vulnerabilities don’t need to be reported unless they cause deaths or other adverse events, or can’t be patched within 60 days. Manufacturers are, however, required to notify users, make changes that lower risk and to be a member of an ISAO, to which they must report the vulnerability and what they did to fix it.
Ted Harrington, executive partner at Independent Security Evaluators, noted that the long development cycle of such devices is primarily focused on performance and safety of their mechanical elements, not the software.
“The software itself can and should be evolved throughout the approval process, and must have an update mechanism to account for the evolutions in attack techniques, discovery of previously unknown flaws in operating systems and communication protocols, and other performance enhancements,” he said.
Of course, even a routine security update process needs security built in. Stephanie Domas, lead medical security engineer at Batelle DeviceSecure Services, said, “updating mechanisms by their nature take in new code, in some format, and save it to the device to execute. This makes them enticing targets for malicious actors – there have been several occasions where software updaters were hijacked for nefarious purposes.”
The FDA also recommended that all stakeholders in the industry join Information Sharing Analysis Organizations (ISAO) to promote the sharing of threat information within the private sector and with government as well.
It said ISAOs, with adequate privacy provisions in place, can help, “detect, mitigate or recover from the effects of cyber threats …”
That last item drew some criticism from Dr. Kevin Fu, CEO of Virta Labs and an associate professor at the University of Michigan, who recommended “caution and skepticism” regarding ISAOs in a letter last April on a draft of the guidelines.
“The sharing of data is not useful if the data are not high quality,” he wrote, citing one case where a report of a vulnerability in one server prompted a hospital to use an even less secure server.
Regarding the overall concept of government involvement in setting security standards for medical devices, there is some debate. Shawn Merdinger, an independent security researcher, said the market can be a more potent force for improving security than government regulation.
Sign up for CIO Asia eNewsletters.