Medical Device Cybersecurity for Network Connected Software and Devices
ANSWERED ON THIS PAGE:
- What kinds of medical devices are vulnerable to cyber threats?
- What are the FDA’s cybersecurity requirements for medical devices and software?
- Why should we perform cybersecurity assessments for our devices?
Medical devices face a perfect storm. Hackers are more sophisticated and the number of devices connecting to the internet or other networks is growing exponentially. As a result, cybersecurity threats are a major concern for device companies. A breach can compromise patient data or software, as well as the performance of life-critical devices like infusion pumps, ventilators, and pacemakers. Yet, pressure to speed up market entry means cybersecurity testing often happens post market - or not at all.
As regulators recognize the risks of cyber attacks, cybersecurity is becoming a regulatory imperative for device manufacturers who want to ensure timely clearance. Emergo can provide cybersecurity testing and evaluation early in the product development stages and help you meet the expectations of regulators and end customers, such as healthcare Group Purchasing Organizations (GPO).
Cybersecurity risk assessments and pen testing to reduce risk and avoid regulatory delays
The best way to mitigate threats to your device is to assess your device's vulnerability early in the design process. We can perform the following cybersecurity assessments to ensure your company and products are prepared for cyber threats in the market:
- Organizational readiness assessment: Includes an on-site assessment to determine if gaps exist between the overall organizational processes and current regulatory guidance, requirements of the UL 2900 cybersecurity standard, or other cybersecurity technical specifications, if desired.
- Security risk assessment: We can support you in the development of a threat model for your device or by supplementing your device risk management procedures to include risks associated with security. We can help you identify, inventory, and evaluate risk controls identified in the cybersecurity risk analysis against commonly-accepted risk control requirements, including those in UL 2900.
- Gray box/black box penetration testing: Our security engineers execute targeted exploits against identified (or unidentified) vulnerabilities in the code and deliver a report of the product response.
Medical device cybersecurity documentation for US FDA 510(k) submissions and Additional Information (AI) responses
In October 2014, the US FDA issued a guidance document entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices." This guidance addresses specific recommendations regarding documentation that should be included your 510(k) submission, including a list of all cybersecurity risks considered in the design of your device and a corresponding list of controls.
We can prepare your FDA 510(k) documentation to ensure it follows FDA pre-market cybersecurity guidance and/or review your existing documentation. We can also help prepare your response if you receive an FDA Additional Information (AI) letter regarding cybersecurity measures.
Medical device cybersecurity compliance consulting
Our technical and regulatory consultants are experts in medical device cybersecurity compliance in the US and markets worldwide. We can provide cybersecurity consulting at every stage of the process, from device testing to regulatory documentation preparation. Here’s how we can help:
- Assess software vulnerabilities and weaknesses early in the design process using penetration testing, malware testing, binary/byte code analysis, static code analysis, fuzz testing, and security controls testing.
- Provide audits, assessments for cybersecurity compliance, and support to FDA guidance, as well as for cybersecurity recommendations and requirements in other global markets.
- Train your employees in cybersecurity product design and sourcing third-party vendors and components.
- Prepare risk documentation related to cybersecurity and FDA cybersecurity guidance.
Cyber threats are costly and, in some cases, dangerous. Emergo can help you take steps to reduce the risk of a cyber attack.
Common medical device cybersecurity questions
Are we required to comply with FDA cybersecurity guidance to obtain FDA clearance for our device?
No. FDA guidance documents are advisory in nature and do not have the force of law. However, guidance does reflect current FDA thinking and failure to comply with their recommendations can derail a 510(k) submission. Therefore, to ensure ongoing patient safety and a smooth 510(k) clearance process, compliance with the recommendations contained in FDA cybersecurity guidance documents is highly recommended.
Does FDA require certification to UL 2900 cybersecurity standards?
Certification to UL 2900 is not required for FDA clearance. The UL 2900 set of standards was designed to align with current FDA pre- and post-market guidance for cybersecurity. They have been recognized as consensus standards by the FDA since August 2017.
What is the difference between white, gray, and black box penetration testing?
A penetration (or “pen”) test targets weaknesses in your product code that may be vulnerable to cyber attacks. In a white box pen test, the engineer performing the test is aware of potential weaknesses and the details of your specific security risk controls. White box, or Structured Pen, Testing exercises the robustness of your security risk controls and provides objective evidence that your design is resistant to security threats. In a black box pen test, the engineer simulates bad actor, or “hacker,” behavior, who may not have specific details on the design of your product. In a black box pen test, our security engineers perform reconnaissance to gather information and then execute a brute force attack on your device. A gray box pen test employs a combination of white and black box methods.