FDA Cybersecurity Framework Core Functions: Identify, Protect
Identify and Protect
The Agency recommends that medical device manufacturers provide justification in the pre-market submission for the security functions chosen for their medical devices.
Limit Access to Trusted Users Only
- Limit access to devices through the authentication of users (e.g. user ID and password, smart card, bio-metric);Use automatic timed methods to terminate sessions within the system
- Where appropriate for the use environment;Where appropriate, employ a layered authorization model by differentiating privileges based on the user role (e.g. caregiver, system administrator) or device role;
- Use appropriate authentication (e.g. multi-factor authentication to permit privileged device access to system administrators, service technicians, maintenance personnel);
- Strengthen password protection by avoiding "hardcoded" password or common words (i.e. passwords which are the same for each device, difficult to change, and vulnerable to public disclosure) and limit public access to passwords used for privileged device access;
- Where appropriate, provide physical locks on devices and their communication ports to minimize tampering;
- Require user authentication or other appropriate controls before permitting software or firmware updates, including those affecting the operating system, applications, and anti-malware.
Ensure Trusted Content
- Restrict software or firmware updates to authenticated code. One authentication method manufacturers may consider is code signature verification;
- Use systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer;
- Ensure capability of secure data transfer to and from the device, and when appropriate, use methods for encryption.
Detect, Respond, Recover
- Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use;
- Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event;
- Implement device features that protect critical functionality, even when the device's cybersecurity has been compromised;
- Provide methods for retention and recovery of device configuration by an authenticated privileged user.Contains Nonbinding Recommendations
Manufacturers may elect to provide an alternative method or approach, with appropriate justification. The National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity, available at: https://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.
For more information, please enter your information below.