As of October 2023, FDA requirements for new-to-market medical devices have more stringent standards. As part of this, manufacturers of medical devices need to have plans and policies in place for routine maintenance of device software to address any security flaws as they come up. This includes the procedures for fixing vulnerabilities as they arise and the strategy for pushing these fixes out to users. This can often be more complicated than it would seem, as some devices may be cut off from external networks for various reasons.
Addressing Security Concerns
The latest FDA guidelines mandate that device manufacturers provide a plan for how they will go about managing vulnerabilities in their devices. This includes finding them and developing solutions. Ideally, most vulnerabilities can be addressed during the initial security review process. This will be extremely comprehensive penetration testing done before the product is released to help guide the final design process and mitigate glaring security flaws.
Initial rounds of security testing can help guide future decisions based on what is identified. Testers will need to collaborate closely with the development team to find a good strategy for mitigating any uncovered vulnerabilities and making a plan for fixing them in the future. As part of initial testing, documentation regarding externally used software will be generated that can then be further analyzed for external vulnerabilities.
While this aims to try and discover as many vulnerabilities as possible in the initial stages, certain changes or discovered vulnerabilities in dependencies may uncover some new vulnerabilities. Security is a constantly evolving process, and it is impossible to have truly perfect security on anything. With this in mind, it is vital to have a plan to address problems as they arise swiftly.
Proper remediation of vulnerabilities can take time, and that time of exposure can mean that organizations may have to race against attackers to fix bugs before they can be exploited. Having a solid plan in place greatly reduces this time. There should be proper documentation for who is responsible for approving changes and who will be designing changes. Tests should also be conducted to ensure that modifications do not introduce new vulnerabilities into the device.
Pushing Fixes to End Users
Once vulnerabilities have been identified and patched, the next main step is to get them out to the end user. Before any changes are sent out, everything should be properly documented, tested, and approved by the proper governing body. Based on how the device functions, a plan should be made in advance on the process for patch management. Unfortunately, it may not be as simple as just sending out a patch over the internet to any connected devices.
Due to the sensitive nature of many medical devices, the timing of patches can be extremely important. Many devices can not afford random downtime, so accounting for that is important if the device performs sensitive operations. Regardless of how sensitive, the downtime of an update can be disruptive for users, so being able to accommodate this is important. Users should ideally be notified of patch scheduling with enough time to prepare.
Many devices do not allow for patches to be delivered over the internet. The reasons for this can vary wildly, but commonly, devices will not be connected to the internet due to security concerns. The amount of sensitive devices exposed to the internet is absolutely staggering, and attackers can easily find and exploit them. Guarding sensitive devices by keeping them off the open internet can massively reduce the attack risk.
Unfortunately, this can make maintenance difficult in some cases. Software upgrades may require either temporarily exposing the device to the internet, which is not ideal, or applying updates via offline methods. An example of this would be updating a device via a USB drive. This reduces the risk of directly connecting the device to the internet, where attackers can discover it. Software updates can then be sent to users, who can then safely update their products.
Develop Your Safety Plans With Blue Goat Cyber
Navigating the FDA requirements for releasing a medical device can be difficult. We can help guide you through the process and secure your device against attack. Along with comprehensive medical device testing, our team can assist in developing strategies and plans for addressing future vulnerabilities that will help your organization meet the FDA requirements and reduce the time needed to get your product to market. Contact us to schedule a meeting.
