How to meet new FDA guidance for medical device security

The FDA’s 2023 cybersecurity guidance, while demanding, sets the stage for a safer future where medical devices are resilient to evolving cyber threats.
By Curtis Yanko, CodeSecure

The FDA recently issued updated guidance on best practices for medical device cybersecurity, a progressive step forward from its 2014 recommendations. This revision underscores the need for manufacturers to adopt proactive security measures, integrating them into the very design and fabric of devices.

The underlying message of this new guidance is that manufacturers are encouraged to adopt a “security by design” methodology. This represents a significant departure from prevailing manufacturing and design mindsets, and necessitates considerable investments in new technologies and training.

A cornerstone of this new guidance is its focus on software supply chain security. Manufacturers aren’t just expected to produce secure devices; They are mandated to continuously monitor and address new vulnerabilities in a timely fashion. This oversight requires substantial resources and a keen awareness of evolving threats. Furthermore, the transparency mandate — expressed through the provision of a comprehensive software bill of materials (SBOM) — underscores the importance of cataloging every medical device software component, be it open source, commercial, or internally developed.

The new guidance also emphasizes the need for manufacturers to proactively manage the integrity of device code, especially regarding external inputs. This involves addressing vulnerabilities like memory or buffer overflows, which can be exploited by attackers to compromise devices.

The new guidance is aimed squarely at addressing the risks and consequences of inadequate device security, including vulnerabilities that can lead to device malfunction, posing tangible physical threats to patients and also potential breaches of sensitive data.

While the direct implications are grave, indirect consequences can be equally debilitating for manufacturers. There’s the looming risk of reputational damage, a blow from which recovery can be challenging and long-drawn. Furthermore, regulatory repercussions can include hefty fines and product recalls.

To underline the severity, consider the 2020 BD Alaris 8000 series infusion pump recall. Failures in both hardware and software culminated in injuries and a death, leading to a reported pre-litigation loss of $59 million for the company.

In light of these risks and challenges, here are several recommendations manufacturers should consider to meet the new FDA guidance:

1. Holistic security implementation
Rather than performing security checks as a final step of product development, it should be a foundational layer upon which devices are built. This approach ensures security is integrated into a product’s fabric and is not a late-stage add-on.

2. Harnessing application security testing technologies
Static application security testing (SAST) can meticulously scan code, bytes and binaries for vulnerabilities, ensuring that potential risks are identified early in the development phase. Notably, SAST can detect a wide range of flaws, including memory-related vulnerabilities, which the FDA has underscored as high priority in its latest guidance. By integrating SAST into the development process, manufacturers not only comply with FDA’s recommendation on code integrity but also preemptively ward off potential exploits.

Software composition analysis (SCA) becomes invaluable with the FDA’s emphasis on achieving transparency into software supply chain risks. Binary composition analysis (BCA) can identify and assess open-source and third-party components, ensuring they are devoid of known vulnerabilities. Beyond just identification, BCA offers remediation paths, allowing manufacturers to proactively address issues and avoid costly and reputationally damaging product recalls. Moreover, BCA can create an SBOM, a now mandatory requirement that provides visibility into all software components used in a device.

3. Automation and continuous integration
The value of continuous integration and continuous delivery (CI/CD) pipelines extends beyond faster product releases. By integrating security checks into these pipelines, manufacturers can ensure that every software iteration is vetted for potential vulnerabilities. Continuous monitoring aided by automation means threats are identified and remediated in real-time, ensuring the device remains secure throughout its lifecycle.

4. Stakeholder collaboration
The guidance emphasizes shared responsibility. While taking the lead, manufacturers should actively collaborate with users, fostering a culture of shared accountability. Training, regular updates, and open channels of communication can ensure users are apprised of best practices, further fortifying device security.

The FDA’s 2023 cybersecurity guidance, while demanding, sets the stage for a safer future where medical devices are resilient to evolving cyber threats.

Meeting these new recommendations requires that manufacturers adopt a strategic shift in design philosophy that integrates security early in the design and development process. Ultimately, this will ensure patient safety and data integrity remain uncompromised. Medical Design & Outsourcing