In this in-depth blog post, we’ll unpack the FDA’s definition of a “cyber device” and explore the common misconceptions that lead many MedTech innovators astray. We’ll dive into specific examples of hardware interfaces that can unexpectedly classify a device as cyber-enabled, and discuss practical strategies for avoiding this classification or properly securing your product.
Defining a Medical Cyber Device: Software and Connectivity
According to Christian Espinosa, CEO of Blue Goat Cyber, the FDA’s definition of a cyber device boils down to two key criteria:
- Does the device contain software?
- Does the device have any possible way to connect to the internet?
If a medical device meets both of these conditions, then it is considered a cyber device – regardless of whether that internet connectivity is actively used or not.
As Trevor Slattery, CTO and Director of MedTech Cybersecurity at Blue Goat Cyber, explains, the second criteria around connectivity is where a lot of the confusion arises:
“The fact that there’s a USB port means it’s a cyber device. But I that’s a misconception I hear all the time still.”
Many manufacturers assume that only obvious internet-enabled interfaces like Wi-Fi or Ethernet would qualify a device as cyber-enabled. However, the FDA takes a much broader view – considering any potential pathway for data exchange or remote access as a cyber risk, including:
- Wi-Fi
- Cellular
- Bluetooth (including Bluetooth Low Energy)
- USB ports
- Serial ports
- Magnetic coils (e.g. RFID, NFC)
- HDMI
Even if these interfaces are not actively used for internet connectivity, the mere presence of a potential attack vector is enough to classify the device as cyber-enabled in the eyes of the FDA.
The Challenge of Proving “Zero Vulnerabilities”
One common misconception that Espinosa and Slattery often encounter is the idea that a device can avoid cyber device classification if it can be proven to have “zero vulnerabilities”.
“It’s a very hard argument to make and it’s a very risky approach to take. And so typically we recommend saying if your device has software, there’s likely going to be a way to exploit it.”
As Slattery explains, the burden of proof required to demonstrate a complete absence of vulnerabilities, even in a small piece of software, is immense:
“One team member that we have for part of his M’s program had to prove a piece of software was vulnerability free. It was like three lines of code and something around 50 pages of proof to prove that three lines of code was free of any vulnerabilities whatsoever. Now imagine when you’re moving into a medical device which can have thousands, tens of thousands, hundreds of thousands lines of code. The proof that it’s going to be free of vulnerabilities would be so much more effort than complying to the cyber security guidelines.”
Rather than attempting to prove the impossible, Espinosa and Slattery recommend that manufacturers simply accept that any device with software is likely to have some form of exploitable vulnerability – and focus their efforts on properly securing and mitigating those risks.
Unexpected Cyber Enablers: Hardware Interfaces
While the presence of software is a clear indicator of a cyber device, the connectivity criteria is where many manufacturers get tripped up. As Slattery explains, even seemingly innocuous hardware interfaces can open the door to cyber risks:
“USB port is the perfect example. You would not inherently think a USB port can introduce a network scenario into the device and it’s just a little bit of a misconception with a what the interface can do and b what the FDA defines as internet connectivity.”
One particularly surprising example is the case of HDMI ports. While most people think of HDMI as simply a display output, the protocol actually includes capabilities that can enable cyber attacks:
“HDMI, exactly like you said, you’re normally thinking about it connecting into your TV or into a second monitor, just providing display output, but those cables and those connections can actually provide control over systems over the CEC, the consumer electronics communications.”
Slattery goes on to explain how the HDMI Ethernet Channel (HEC) feature can even allow Ethernet communications to be passed through the HDMI interface – effectively turning it into a network connection point.
Similarly, Bluetooth – including Bluetooth Low Energy (BLE) – is another interface that is often overlooked as a cyber risk. As Espinosa notes, even the relatively short range of BLE can be extended through the use of specialized equipment:
“Often times you can see some examples that have been done by security researchers in the past at events like Black Hat where they have Bluetooth sniper rifles for an example which sounds like a ridiculous concept but they look like sniper rifles that I believe have a range of around a kilometer to send and receive Bluetooth signals with super super targeted precise antennas.”
This type of long-range Bluetooth attack has even been a concern for high-profile individuals like former Vice President Dick Cheney, who had the wireless capabilities of his pacemaker disabled out of fear of remote exploitation.
The 3D Printing Software Surprise
One real-world case that Espinosa and Slattery encountered highlights just how broad the FDA’s definition of a cyber device can be. In this instance, a client who manufactured a 3D printing system for medical implants was surprised to learn that their device was classified as cyber-enabled – not because of the 3D printer itself, but because of the software used to model the implants:
“The FDA determined that the software they were using to plan treatments for their patients was a pivotal component of the device. So it was included in the boundary of the device. And this is what manufacturers need to be extra aware of is where are they drawing the lines with those boundaries.”
Even though the 3D printing software was a third-party tool, not developed by the client, the FDA still considered it an integral part of the overall medical device. This meant the client had to comply with the same cybersecurity requirements as if they had developed the software themselves.
As Slattery explains, the key lesson here is that manufacturers must carefully define the boundaries of their “device” – including any third-party components or software that are essential to its functionality. Anything that falls within that defined scope is subject to the FDA’s cyber device regulations.
Strategies for Avoiding Cyber Device Classification
If a medical device does meet the criteria of a cyber device, the path forward can seem daunting. However, Espinosa and Slattery outline several practical strategies that manufacturers can employ to either avoid this classification or properly secure their cyber-enabled products:
Removing Unnecessary Connectivity
One of the simplest approaches is to eliminate any unnecessary hardware interfaces that could potentially enable cyber attacks. As Espinosa explains:
“The way to remove that from being classified as a cyber device is to enclose that USB port and put tamperproof seals on the device. So, now it’s purely self-contained. it doesn’t there’s no way to connect to the software which is a simple fix uh if you relatively simple to avoid the whole cyber security path with the FDA.”
By physically securing or removing unused ports and connectivity, manufacturers can potentially reclassify their device as non-cyber, avoiding the need to comply with the full set of cybersecurity requirements.
Isolating Functionality
In some cases, it may not be feasible to remove connectivity completely. However, Slattery notes that manufacturers can sometimes restructure their device’s functionality to limit the cyber attack surface:
“If you’re able to, you know, remove this entirely, you’re flashing it on at the board level, um you’re doing it, you know, as kind of a oneanddone process, or you’re changing the way that your device works so that you don’t require as much of these updates, and you strip out any of that connectivity. You just try to isolate it from being a cyber device.”
By minimizing the need for remote updates, cloud connectivity, or other cyber-enabled features, manufacturers can potentially reclassify their device or at least reduce the scope of cybersecurity requirements.
Consulting Experts and the FDA
Ultimately, Espinosa and Slattery emphasize that there is no one-size-fits-all approach to navigating the FDA’s cyber device regulations. They recommend that manufacturers reach out to experts like the team at Blue Goat Cyber for guidance, as well as directly engage with the FDA to understand the specific classification and compliance requirements for their product:
“Reaching out to experts like our team at Blue Goat to say hey are we a cyber device? How can we not become a cyber device? How can we secure us being a cyber device? We can help you with all of these answers and make sure that we’re guiding you around. We’re guiding you on a secure path forward.”
By proactively addressing cyber device classification and security, manufacturers can save themselves significant time, effort, and frustration down the road – ensuring their innovative medical technologies can reach patients safely and securely.
Conclusion
The line between traditional medical devices and cyber-enabled products has become increasingly blurred. As the FDA continues to expand its definition of what constitutes a “cyber device,” medical device manufacturers must be vigilant in understanding the regulatory landscape and taking proactive steps to secure their innovations.
Whether it’s unexpected hardware interfaces, third-party software dependencies, or the challenge of proving “zero vulnerabilities,” the cybersecurity requirements for medical devices can be complex and ever-evolving. By partnering with experts like the team at Blue Goat Cyber, manufacturers can navigate these waters with confidence, ensuring their products meet the FDA’s stringent cybersecurity standards while bringing life-saving technologies to market.
To learn more about securing your medical device or partnering with Blue Goat Cyber, schedule a Discovery Session today. And be sure to subscribe to the Med Device Cyber Podcast for the latest insights and best practices in medical device cybersecurity.