Encryption, FIPS 140 and Medical Devices: Frequently Asked Questions
Regulatory Updates |
EMERGO SUMMARY OF KEY POINTS:
- Pressure from US regulators and healthcare purchasing organizations for medical devices to demonstrate adequate encryption capabilities is increasing.
- Compliance with the Federal Information Publications Standard (FIPS) 140-2 standard enables manufacturers to demonstrate adequate encryption tools for their devices.
- FIPS 140-2 compliance is best addressed early in the medical device design phase.
As cybersecurity vulnerabilities become a more urgent concern for the medical device industry, encryption requirements are emerging as a key tool to address medical device cybersecurity concerns. In the US, compliance with the FIPS 140-2 standard can help manufacturers of network-connected devices and software demonstrate encryption capabilities able to protect patient and user data.
Below, we cover several common questions about the role of FIPS 140-2 and related encryption practices in medical device companies’ cybersecurity management efforts.
First, encryption is generally defined as a secret transformation of data utilizing an encryption key to convert readable data into illegible form; encryption conceals data to prevent its exposure, theft or misuse.
How is encryption applied to medical devices?
In the realm of medical devices, encryption is necessary to protect patient privacy and safety. To this end, the US FDA has published medical device premarket and post-market cybersecurity guidance that recommend using encryption to ensure secure data transmissions to and from networked devices.
What is FIPS 140-2?
FIPS 140-2 is a US Federal Information Publication Standard issued by the National Institute of Science and Technology (NIST); FIPS 140-2 specifically defines the quality of cryptography, and lays out requirements for implementation of encryption capabilities in devices and other products. These requirements are intended to ensure protection of data when the device is at rest and when data is being received by or sent from the device.
When is FIPS 140-2 compliance necessary for medical devices?
For a device manufacturer, FIPS 140-2 compliance would be one way to demonstrate encryption capabilities that many purchasers such as hospitals and clinics require. The US Veterans Health Administration (VA), for example, requires FIOS 140-2 compliance for all medical devices and software that transmit data via wireless technologies. Given that the VA is one of the biggest healthcare product procurers in the US, FIPS 140-2 compliance is not optional for any device manufacturer or developer seeking business with the agency.
What are key FIPS 140-2 implementation considerations for medical device companies?
Medical device manufacturers seeking to attain FIPS 140-2 compliance should consider the following factors:
- Firms should apply the standard early in their device design phase to ensure that all components used for encryption meet proper quality and performance requirements.
- A manufacturer may need to consider specific design attributes, such as device tamper evidence that are independent of the product’s software or hardware encryption components.
- Like IEC 60601, FIPS 140-2 compliance is more difficult and expensive to add to a device once its design is completed, and should be considered early on in a device’s design phase.
How does the US FDA approach FIPS 140-2 compliance and encryption for medical devices?
Although US regulators do not yet outright require FIPS 140-2 compliance for registrants with wireless or networked devices, companies should expect more FDA attention to these issues as cybersecurity becomes a larger focus.
“The FDA has written several Additional Information (AI) letters in response to new 510(k) premarket notification submissions for network-connected products requesting more data on applicants’ software quality and security,” says Laura Élan, Practice Leader, Digital Health and Cybersecurity at UL.
Élan adds that more and more purchasing organizations at hospitals and other large healthcare providers are asking for detailed evidence that manufacturers are addressing security including encryption capabilities in their offerings.