Managing Security Risk in Medical Device Manufacturing

Managing Security Risk in Medical Device Manufacturing

The following is an adapted piece from the full report Safety First: Breaking Down the FDA’s 2023 Premarket Cybersecurity Regulations, which gives a full product security breakdown of the FDA’s September 2023 PMA cybersecurity requirements.

——

Managing the risk of devices doesn’t mean rolling with the punches, it means thinking from the start on how to keep each individual device secure.

Unfortunately, not all devices were created with this longterm security built in for the long term. Whether the result of poor practices, developer error, or one of the many ways a vulnerability finds its way into a connected product, product security teams are working to address the high number of vulnerabilities throughout their devices– many of which have only been discovered recently.

The approach of mitigating vulnerabilities still meant that devices were being deployed to the complex environments that are healthcare facilities with known vulnerabilities. Even with updates promised soon after, the devices remain high-risk until that happens.

Eliminating medical device vulnerabilities

In the past, up until the announcement of the RTA policy at the end of March 2023, the FDA requested that all vulnerabilities be mitigated– but the approach didn’t work. 

The FDA is demanding the change in this status quo, adding in the latest Premarket Authorization Guidelines, also known as the PMA, adding the word “eliminate” when speaking of known vulnerabilities. For product security teams, this means working closely with the product team from ideation by building a list of potential components that can be used to conduct the needed features. Once this list of software or initial SBOM is created, teams can weigh the potential device’s risk against its abilities.

For devices already in the field, eliminating vulnerabilities should be a top priority– meaning automation must be put in place to identify and address known security risks as soon as possible. Manually searching vulnerabilities is a time and resource-intensive process that not only becomes a never-ending feat, it also doesn’t comply with the Omnibus or PMA requirements.

VA Co-Pilot
The VM Co-Pilot: An Automated Analyst for Product Vulnerability Management

The FDA knows that no device can be 100% secure but taking steps to fully eliminate vulnerabilities has become a goal unto itself. This can be understood as the administration is open to mitigation methods, however when elimination is possible, it should be followed through.

A device should be designed to eliminate or mitigate known vulnerabilities. For marketed devices, if comprehensive design mitigations are not possible, compensating controls should be considered.

-FDA PMA 2023

Security risk management report

SBOMs act as a foundation for managing risk. “We’re not asking for a software bill of material information just to ask for it. We are asking for it so we can use it. We do that by cross-referencing SBOM information with other known information such as known vulnerabilities,” said Jessica Wilkenson, Senior Policy Advisor at the FDA. “So, what vulnerabilities need to be addressed? What vulnerabilities may be addressable later and how do I prioritize all of these things?”

When vulnerabilities are present in a device and they can’t be removed, they must be identified and reviewed throughout a device’s full lifetime, and then run against CISA’s known vulnerability database. 

A report should be generated explaining which vulnerabilities remain present in a device and the risks they bring with them.

“In addition to containing the documentation elements listed above, the security risk management report should:

  • Summarize the risk evaluation methods and processes,
  • Detail the residual risk conclusion from the security risk assessment,
  • Detail the risk mitigation activities undertaken as part of a manufacturer’s risk management processes, and
  • Provide traceability between the threat model, cybersecurity risk assessment, SBOM, and testing documentation as discussed later in this guidance as well as other relevant cybersecurity risk management documentation.”
    -FDA PMA 2023

A full product security lifecycle approach

Ultimately, device safety, whether cybersecurity-related or not, is a top priority. According to the latest FDA’s cybersecurity guidelines for medical devices “Security risk management should be an integrated part of a manufacturer’s entire quality system, addressed throughout the TPLC [total product life cycle].”

To achieve proper medical device security, product security professionals must have the ability to automatically triage and prioritize newly discovered vulnerabilities within their devices, which can be achieved with technologies such as the VM CoPilot. As technologies advance, teams that rely on the same fixed number of resources can increase their impact without sacrificing security.

—–

This blog is adapted from the report Safety First: Breaking Down the FDA’s 2023 Premarket Cybersecurity Regulations.