How to meet FDA and CE requirements and avoid embarrassing and expensive security breaches
Cyber attacks on connected medical devices are increasing — and they are even more sobering than medical systems hacks. As Harvard Business Review (HBR) puts it, “medical systems hacks are scary, but medical device hacks could be even worse.” Wired, on the other hand, wrote that “medical devices are the next security nightmare.”
To fool-proof the security of your medical devices, you need to make them meet the requirements of the Food and Drug Administration (FDA) and other security standards, which is easier said than done when designing medical wearable devices and IoT devices.
Medical Wearable Device Security Can Be More Challenging
Security challenges for endpoint devices in a fixed location are high. But security challenges for wearables are higher. Here are the top reasons why:
The device may not be the correct device.
The wearer can wander around and be almost anywhere.
Let the user know they need to grant that permission on the iPhone.
Prompt the user with the health authorization dialog on the iPhone.
Make the call once the authorization is complete on the iPhone.
Handle the result of the authorization from the iPhone on the Apple Watch.
Aside from knowing if the device is authorized to send data, you also need to determine if it has been spoofed, if there is a different device sending data, and if the device is sending the right data. You also need to check if it is sending data accurately and if data was taken at the right time.
Security Regulations for Medical Devices
The first step to meeting FDA and other security requirements is being aware of them. Here are the digital health requirements that you should meet to avoid embarrassing and expensive security breaches:
FDA Recommendations. In it’s 2018 draft guidance the FDA divides cybersecurity risks into Tier 1 (Higher Cybersecurity Risk) and Tier 2 (Standard Cybersecurity Risk). Tier 1 has two criteria: (i) the device connects to another product or network (wired or wirelessly) and (ii) a cybersecurity incident could directly result in harm to multiple patients. It recommends the following security measures: authentication, encryption, identification, authorization, and correction. Although guidance is not mandatory, you need to pay attention to it. This guidance is still in draft form as of mid 2020, but it is likely to be adopted at any time. It is advisable to use this guidance for any new device. It is similar to but more detailed than the earlier 2014 guidance that is still in effect.
NIST Cybersecurity Framework. The FDA recommendations are based on the NIST Cybersecurity Framework. Tier 1 recommends the following:
Prevent unauthorized use by limiting access to trusted users and devices only as well as authenticating and checking authorization of safety-critical commands.
Ensure trusted content by maintaining code, data, and execution integrity.
Maintain data confidentiality.
Design the device to detect cybersecurity threats in a timely fashion.
Design the device to respond to and contain the impact of a potential cybersecurity incident.
Design the device to recover capabilities or services impaired due to a cybersecurity incident.
Tier 1 design also advises implementing resilience measures such as cryptographic verification and authentication, secure configuration, and cybersecurity BOM (CBOM).
Tier 2 has the same recommendations, but items may be ignored if a risk-based rational shows they are not appropriate.
HIPAA (Patient Data Privacy). The Health Insurance Portability and Accountability Act (HIPAA) is separate from security. But security must be in place to meet HIPAA. Here are its requirements:
Ensure that the security design is user-centric.
Enable end-to-end security, from device to database and physical access control at the database.
If data is transmitted without patient ID, there is no privacy concern. Match a code with the patient’s name at the database.
CE Security Requirements. CE requirements are not as specific as FDA guidance, but are similar: devices must be safe, effective, and secure. There is a focus on data protection (see GDPR), which is stricter than U.S. patient data requirements.
Documents that apply include Annex I of the Medical Device Regulations (MDR), EN62304 on software, and EN14971 on hazard analysis. The required practices are the following:
Practice 1: Security management
Practice 2: Specification of security requirements
Practice 3: Secure by design
Practice 4: Secure implementation
Practice 5: Security verification and validation testing
Practice 6: Management of security-related issues
Practice 7: Security update management
Practice 8: Security guidelines – documentation
It is the manufacturers’ responsibility to determine the minimum requirements for the operating environment concerning IT network characteristics and IT security measures that could not be implemented through the product design. This means the manufacturer is responsible for providing the information for a user to operate the device in a secure network, even if the manufacturer does not provide the network.
Adopt a Security-by-Design Approach
Medical device security standards are crucial for medical IoT and wearables design, but meeting the requirements is not an easy task. The only way to meet security requirements is through a security-by-design approach, which offers various benefits including the following:
Effective and early security flaws removal.
Built-in rather than bolt-on security.
Reduced risk of liability.
More resilient systems.
How to implement security-by-design
First, be aware of regulatory requirements. Identify product requirements before starting a product design. Design security as part of the product design and test to ensure all requirements are met.
Being Aware of and Identifying Regulatory Requirements is Just Half the Battle
You should also consider the following elements when designing a medical device:
Choice of Technology. Are you building your device on proven technology?
Technology Weaknesses. Does the technology platform have known exploits?
System Design. Where are the risks in the system? Data at rest has different vulnerabilities than data in flight.
Risk Assessment. Overall risk should be broken down into individual items, each with the risk and effort required.
Cryptography. What level of cryptography is needed? Too high requires more power and more time.
Encryption. Encryption is not just protecting the data with an encryption algorithm. Management of security keys is more important.
Threat Detection. How can one detect a threat before any damage is done?
Penetration Testing. Hire ethical hackers to attempt a system attack.
Developers. Are they involved in threat modeling? Are they aware of your organization’s security-by-design practice?
Maintainability. Are requirements for maintainability and tools to measure it in place?
Privacy by Design. Is privacy included in your approach (HIPAA and GDPR)?
Further Improvements. How can you continuously improve device development? Security will get more challenging during the life of the product.
To successfully implement all these measures, hire in-house IoT engineers or a reliable third-party consultant. Voler, for example, was tapped to develop the XEEDA Wallet — the world’s first cryptocurrency hardware wallet for smartphones. Voler implemented security-by-design at every step of product development and designed the device with very high security (EAL Level 5), using multi-factor authentication, built-in biometric security features, and other critical security measures. Voler completed the challenging design on-time and on-budget.
As cybersecurity and privacy issues increase in healthcare, you should make security a top design priority. Meet FDA, CE, and other security requirements to ensure your devices are fool-proof and avoid the costly and embarrassing consequences of security breaches.
Voler can help select the right security design for your device. We offer expert guidance on designing and developing next-generation IoT and wearable devices. We help select the right technology for your device and determine the right combination of electronics for guaranteed security and reliability.