FDA Cybersecurity Framework Core Functions: Identify, Protect

11/18/2018


Identify and Protect

Medical devices capable of connecting (wirelessly or hard-wired) to another device, to the Internet or other network, or to portable media (e.g. USB or CD) are more vulnerable to cybersecurity threats than devices that are not connected. The extent to which security controls are needed will depend on the device's intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited (either intentionally or unintentionally), and the probable risk of patient harm due to a cybersecurity breach.


Manufacturers should also carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use (e.g. home use vs. health care facility use) to ensure that the security controls are appropriate for the intended users. For example, security controls should not unreasonably hinder access to a device intended to be used during an emergency situation.
The Agency recommends that medical device manufacturers provide justification in the pre-market submission for the security functions chosen for their medical devices.

Examples of security functions to consider for protection of medical devices should include, but should not be limited to, the following:

Limit Access to Trusted Users Only

  1. Limit access to devices through the authentication of users (e.g. user ID and password, smart card, bio-metric);Use automatic timed methods to terminate sessions within the system
  2. Where appropriate for the use environment;Where appropriate, employ a layered authorization model by differentiating privileges based on the user role (e.g. caregiver, system administrator) or device role;
  3. Use appropriate authentication (e.g. multi-factor authentication to permit privileged device access to system administrators, service technicians, maintenance personnel);
  4. Strengthen password protection by avoiding "hardcoded" password or common words (i.e. passwords which are the same for each device, difficult to change, and vulnerable to public disclosure) and limit public access to passwords used for privileged device access;
  5. Where appropriate, provide physical locks on devices and their communication ports to minimize tampering;
  6. Require user authentication or other appropriate controls before permitting software or firmware updates, including those affecting the operating system, applications, and anti-malware.

Ensure Trusted Content

  1. Restrict software or firmware updates to authenticated code. One authentication method manufacturers may consider is code signature verification;
  2. Use systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer;
  3. Ensure capability of secure data transfer to and from the device, and when appropriate, use methods for encryption.

Detect, Respond, Recover

  1. Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use;
  2. Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event;
  3. Implement device features that protect critical functionality, even when the device's cybersecurity has been compromised;
  4. Provide methods for retention and recovery of device configuration by an authenticated privileged user.Contains Nonbinding Recommendations

Manufacturers may elect to provide an alternative method or approach, with appropriate justification.  The National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity, available at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.


For more information, please enter your information below.

Latest posts in our blog

Read what's new this week

The physician group, Advanced Care Hospitalists PL (ACH), a contract physician group, last week agreed to pay $500,000 and to adopt a corrective action plan to address the alleged conduct after reaching a settlement with the Office for Civil Rights (OCR). to resolve potential HIPAA violations relating to the sharing of protected health information...