Transparency for medical devices is critical in all areas, and cybersecurity is included. Users will typically want to know what can happen with a device they are using, especially in a medical context. The consequences of a problem can be catastrophic, even leading to loss of life. With this in mind, it makes sense why it is so critical to keep users informed about the risks and complications involved with any medical device.
What Is Transparency?
Cybersecurity transparency is making sure that users are educated on steps that they can take to remain safe and the risks associated with a device. It can also be good to include information on what steps should be taken in the event of an unexpected event and who to report to. This information can cut down both on the likelihood of attacks and the impact. Proper education can also help users learn to recognize an anomalous event and understand when something may be wrong.
It is critical that documentation and labeling for devices are fully accurate and kept up to date. Not only can it be very dangerous for users if the information is inaccurate, but it can open the device up to regulatory problems, as it will be considered to be mislabeled. Information should be catered to the expected users and their level of understanding of cybersecurity concepts. It can be helpful to have information with scaling levels of detail for those who may need some more information (such as in-house technicians).
There is no “one size fits all” solution for what information should be transparent to users. Of course, there is a certain level of access that will be reserved for only the manufacturer, but how far that goes can be difficult to know. Users will often benefit from greater levels of detail on the workings of a device, but the balance still must be present. It can also be difficult to know what sort of information is relevant, as functionality within medical devices can quickly become extremely complex.
Once the device has been approved for market, the work hasn’t ended yet. Transparency extends into the lifetime of the product, and a solid plan should be in place for keeping previous customers educated. If the need arises, there should be a procedure in place for updating any outdated policies or documentation about the device. As part of that, processes must be in place for conveying the updates to users.
How Can Manufacturers Achieve Proper Transparency?
Proper transparency can be difficult to achieve, but it is vital for FDA compliance and user safety. A major part of this is sufficient labeling. Labeling should be comprehensive and cover both high-level and low-level explanations of the device. Explicit information about the risks being prevented and the dangers of mishandling the device should be clearly defined. Best practices for the device can also be included to help users enforce their own security.
As part of transparency, the FDA mandates that a software bill of materials (SBoM) for the device be publicly available and completely document all 3rd party components involved in the device. This SBoM should be monitored for new vulnerabilities discovered in outside components and the device should regularly be reassessed for security based on new findings within the SBoM. A secondary function of the SBoM is to ensure that licensing requirements are being met and the device is not breaching any standards or regulations there.
Once the device is released, detailed plans should cover the process for monitoring, reporting, and remediating vulnerabilities that get discovered in the future. Part of this ties into vulnerabilities in the SBoM, but this should also account for unique vulnerabilities in the custom code. Zero-day vulnerabilities may be introduced through regular maintenance, or even patching for other security-related issues. Understanding this and accounting for it ahead of time can greatly reduce the time needed to fix these vulnerabilities as they come up.
Get Your Device To Market With Blue Goat Cyber
When in doubt, it can be worth contacting a security specialist. Submission requirements evolve rapidly and rejections can increase the time it takes for devices to get approved for the market. The team at Blue Goat Cyber can help relieve some of the stress of the FDA submissions process and get your device to market faster. We are highly experienced in security testing for devices of all types and can help protect your device against initial software vulnerabilities and postmarket vulnerabilities. Contact us to learn more about how we can help.
