July 1, 2021
A new discussion paper published by the US Food and Drug Administration focused on cybersecurity risk and vulnerability issues directly related to servicing medical devices, and is seeking comment from industry and other stakeholders through August 17, 2021.
The FDA discussion paper follows a report on medical device servicing published in 2018 wherein the agency set a goal of strengthening and improving cybersecurity processes tied to the servicing of medical devices. The new paper identifies four cybersecurity issues involved in device servicing:
- Privileged access, whereby access to a device for servicing purposes is limited to specific privileged users (typically designated by the device’s original equipment manufacturer, or OEM). Extending access to other users or entities to perform servicing, maintenance or repair functions introduces cybersecurity risks. FDA recommends firms establish privileged access to device operating systems and applications, as well as use of user authentication and related controls to mitigate these risks.
- Identifying cybersecurity vulnerabilities and incidents, which applies not only to healthcare but all other critical infrastructure sectors. FDA notes that servicing providers and entities are well-suited to help identify cybersecurity vulnerabilities, incidents and breaches in their early stages, in some cases before OEMs become aware of these issues. Sharing this and related post-market data with appropriate stakeholders including OEMs and regulatory agencies could result in earlier detection of cybersecurity threats and incidents, as well as help in the development of more effective responses and mitigation processes.
- Prevention and mitigation of cybersecurity vulnerabilities, typically achieved via software upgrades. FDA contends that servicing providers are also well-positioned to support these efforts by verifying that devices they service are running on up-to-date software with adequate cybersecurity features; the agency furthermore recommends that device OEMs allow servicing providers greater involvement in maintaining device security by efficiently deploying software upgrades and fixes to address cybersecurity risks and incidents.
- Product lifecycle challenges and opportunities, which pertain to legacy devices utilized in healthcare settings beyond their intended lifecycles. FDA and other international cybersecurity stakeholders have advocated for more communication from OEMs when they can no longer support software upgrades and patches needed to address their devices’ cybersecurity risks. Although device end-of-life issues can prove highly complicated and difficult to communicate across complex healthcare environments, FDA recommends use of responsibility agreements between OEMs and healthcare facilities regarding devices that may be able to stay within acceptable performance specifications via servicing, but that will pose greater and greater cybersecurity risks the longer they remain in use.