The Federal Drug Administration (FDA) wants medical device manufacturers to follow its recommendations for security controls. This “advice” is part of the updated regulations for premarket submissions and postmarket monitoring. The document defines security control categories and how they can improve medical device cybersecurity.
The list of security controls is long, so we’ll break them up in a series of posts. The first two to review are authentication and authorization.
Let’s review these categories and their impact on FDA approvals.
Authentication Security Controls
Two classifications of authentication are part of security controls—information and entities.
- Information authentication describes the situation wherein the device and system it operates can prove that data originated at a known, trusted source. Further, there is confirmation that there’s been no alteration to the information.
- Entities authentication refers to when a device and the system in which it resides can prove the identity of an endpoint from which it sends or receives information.
Combining these authentication security controls upholds accuracy, integrity, and validation. Your medical device system should have checks and balances to control information at rest and transit, software binaries, and endpoint authentication.
The guidance offers specific recommendations to build comprehensive authentication schemes. These can quickly become complex, depending on the breadth of software and endpoints. When applying a scheme, you’ll need to keep several technical considerations in mind around cryptographic and non-cryptographic protocols.
In addition, there are action items to take to make part of your medical device cybersecurity program. You can employ strong cryptographic authentication, make multifactor authentication mandatory, improve password security protections, institute mechanisms for authenticity verification from the devices, and much more.
Your core competencies involve the development of medical devices, understanding the unique use cases and how patients and providers will use them. While you may have cybersecurity knowledge on your team, the complexities around these security controls are deep, so you can benefit from working with firms that specialize in medical device cybersecurity.
Authorization Security Controls
The FDA defines authorization in this context as “the right or permission granted to a system entity to access a system resource.” The document further clarifies this as a defensive measure, and authorization schemes enforce privileges. They either allow or deny actions to ensure that access to system resources follows acceptable use cases.
In the recommendations, the FDA discusses the notion of least privilege and universally applying it. Thus, every user should only have the minimum level of access in accordance with their job duties.
Least privilege can be one of the last defenses for a cyber-attack. If there’s a credential breach, the threat actor may realize they have minimal access and cannot infiltrate the medical device’s software or network.
The FDA suggests these practices for authorization security controls:
- Follow least privilege rules and ensure any user authenticates in multiple ways.
- Establish automatic timed-out thresholds that terminate sessions after there’s no activity.
- Differentiate privileges based on user roles.
- Build medical devices that align with “deny by default” so that they automatically reject any unauthorized connections or requests.
Developing an authorization scheme takes into consideration many standard cybersecurity best practices. The tricky part can be scaling it across your enterprise. It’s another security control that requires a strategy and constant auditing. Pen testing would be essential in evaluating its resiliency and identifying any exploitable areas.
Security Controls Are Necessary and Good for Medical Device Cybersecurity
Security controls elevate your cybersecurity program for medical devices. The FDA urges you to use them, but they are actually worthwhile in keeping your devices compliant and secure. If you realize these are areas of deficiency in your plans, we can help. Contact our experts today for a discovery session.
