The latest FDA medical device cybersecurity update from the Food and Drug Administration (FDA) covers many security controls. Along with specific guidelines, the agency has also provided practical recommendations. This article will review the code, data, and execution integrity security controls.
Integrity Violations and Cybersecurity Risk
According to the FDA, integrity issues are the root cause of many cyberattacks. These include stored code, stored and operational data, or the execution state. As a result, this risk should be part of your medical device cybersecurity strategy.
There are three integrity categories to consider in security controls: code integrity, data integrity, and execution integrity.
What Is Code Integrity?
Code integrity refers to assuring that software code stays unaltered and trustworthy throughout its lifecycle. Ensuring code integrity is pivotal in maintaining the security of a medical device. It has three components:
- Code signing: It allows users to validate the authenticity and integrity of software code via digital signatures within the code. It creates a unique identifier that’s traceable back to the software publisher.
- Hash functions: Hashes generate a distinct value for every piece of code. By comparing these before and after execution, developers can locate any modifications.
- Digital certificates: Certificate authorities (CAs) contain the software owner’s public key, which is used to virtually sign the code.
FDA guidance on code integrity includes:
- Using authentication firmware and software
- Enabling cryptography authenticated firmware and software updates
- Assuring that validation occurs before execution based on digital signatures
- Disabling unauthorized access to test and debug ports
What Is Data Integrity?
Data integrity in software development describes all the processes you should use to ensure the accuracy, reliability, and validity of data through its lifecycle. Regarding medical device cybersecurity, the emphasis on data integrity involves both incoming and external source data.
Medical devices create and receive a lot of data, which is necessary for their effectiveness. The FDA wants to ensure that no data is modified during transit or at rest. They suggest that all incoming data go through a validation process.
Other tips include validating data ranges and applying the proper configuration outputs for data integrity.
What Is Execution Integrity?
The third area of integrity is the execution environment. Execution integrity describes maintaining verification of code and data once the medical device software begins to execute. It’s the real-time component of integrity security controls.
FDA guidance for medical device cybersecurity recommends industry-accepted best practices, such as host-based intrusion prevention systems. The FDA also recommends that medical device manufacturers thoroughly review the design of all code-parsing external data, whether automated or manual.
How Can Medical Device Companies Instill Integrity?
These three areas of integrity run parallel with many of the other FDA mandates and recommendations. Code integrity falls under creating a software bill of materials (SBOM). It’s a requirement of the FDA now while also being a best practice to defend against cyberattacks.
Data integrity should be a pillar of your cybersecurity strategy. Ensuring you have verification tools in place, as well as traffic segmentation, creates an even safer environment.
Execution integrity falls under the two areas of premarket submissions:
- Tracking and addressing cybersecurity issues after the device is in use
- Implementing internal procedures to find vulnerabilities and correct them
Creating a culture of proactive cybersecurity principles is necessary to follow integrity guidelines. While integrity validations are not a mandate of the FDA, they provide value in adhering to some of the requirements for your premarket submission.
Book a strategy session with our experts today for more help and insights on medical device cybersecurity guidelines. We can support premarket submissions, strategy development, pen testing, and vulnerability assessments. Contact us now.