Cybersecurity and the FDA
Overview for Medical Devices
By Frances Cohen
President Promenade Software Inc.
Board Member MedISAO
• B.S. Geophysics – UCLA. Worked in the Dept. on an Apple IIe and 1st PC.
(dinosaurs still roamed the earth but punch cards were going extinct)
• Hated oil research – loved software. Got a BS Computer Engineering from
the Technion – Israel Institute of Technology.
• Chief Architect and core team manager at Phoenix BIOS back in the PC
heyday of 286/386/486/Pentium, Windows 3.1 – XP.
• Implemented and Managed development a GE Medical Hospital
Defibrillator at Cardiac Science – first introduction to medical devices.
• Directed software development at Source Scientific LLC, a medical device
contract developer and manufacture for 9 years.
• Current- President of Promenade Software Inc. – a medical device
software service co. 3+ years.
Promenade Software Inc.
• A service provider of Medical Device Software
– ~15 software engineers
– Full stack of software for devices and their
• Embedded and User-facing software.
• Mobile Apps and Cloud
– Handle software regulatory submission
– Cybersecurity solutions and services
• A medical device information sharing and
– Provides ongoing cybersecurity information
tailored to the medical device industry.
– Alerts members of potential threats
– Geared towards smaller manufacturers and
Cybersecurity and Medical Devices
– the procedure of preventing unauthorized access,
modification, misuse or denial of use, or the
unauthorized use of information that is stored,
accessed , or transferred from a medical device to
an external recipient.
– A weakness in a device’s cybersecurity
(implementation or processes) that could be
• From Executive Order 13636
– Cyber threats to national security are among the most serious.
• Thousands of medical devices have been shown to
be vulnerable to hacking
– Rising number of medical devices connected to the internet.
– Insufficient security practices: ex: Fixed hardcoded passwords, or
defaults not changed. Or no encryption.
– From infusion pumps to CT scans, implantable defibrillators – many
easily accessible from within the hospital, and some on the web or
within Bluetooth reach.
• Raising privacy concerns and safety concerns
Ex: GE’s Password Cloud
Default passwords with an advisory not to change them in the manual –
for service reasons.
• Hospira Symbiq Infusion System – July 2015
– FDA issued advisory to stop using due to cybersecurity risk
• J&J Animas Insulin Pump – October 2016
– J&J advised to turn off wireless functions until patched
– Attacker could command pump to dispense arbitrary amount of insulin
from 25 feet away
• St. Jude Pacemaker – August 2016
– Security firm reported ability to wirelessly control implanted
– St. Jude stock Dropped ~10%
– Ongoing investigations on validity of claim
FDA Guidance - History
• No initial mention in guidance material
• Oct 2014 – FDA released the Guidance for
“Premarket Submission for Management of
Cybersecurity in Medical Devices”
• Jan 2016 – FDA release a draft guidance “Postmarket
Management of Cybersecurity in Medical Devices”
– Talk of release by the end of the year.
Guidance follows standards for securing
networked systems (ex: systems having to do
• Identify and Protect
– Limit Access to Trusted Users Only
• Require authentication of users (ex: ID and password, or biometric). No hardcoded
passwords. Use modern hashes
• Use multi-factor authentication to privileged device access (service techs., system
• Require user authentication for upgrades.
• Terminate sessions after a timeout, as appropriate.
– Ensure trusted content
• Upgraded code should be authenticated (e.g. signed)
• Ensure secure data transfer to and from device, using encryption.
• Detect, Respond, Recover
– Implement features allowing for detection of
– Implement features that protect critical
functionality, even when cybersecurity has been
– Provide method of recovery by an authenticated
– Include a Hazard Analysis with mitigations
pertaining to cybersecurity risks.
– Show traceability to requirements.
– Describe plan for providing updates.
– Provide instructions for recommended
cybersecurity controls appropriate for the
To address evolving cybersecurity risks, FDA identifies a number
of critical components that should be included from the device
– Monitor information sources for vulnerabilities
– Assess presence and impact of a vulnerability
– Establish and communicate process for vulnerability intake and
– Define essential clinical performance
• To develop mitigations to protect, respond and recover
– Adopt a Coordinated Vulnerability Disclosure policy and practice
– Deploy mitigations prior to exploitation.
• FDA recognizes IEC 29147:2014
– deals with the interface between vendors and those who
find and report potential vulnerabilities
– Could be external – how does a 3rd party report a
• Why have one?
– FDA recommends it
– Gives advanced notice of vulnerabilities
Makes patients safer
Better publicity control
– More likely for security researchers to work with you
instead of against you
Private Sector Information Sharing
• Executive Order 13691
– Promotes private sector information sharing, encouraging
ISAOs (information sharing analysis organizations)
• ISAOs serve as focal points for cybersecurity information
sharing and collaboration.
• ISAOs protect privacy of individuals and preserve business
confidentiality, safeguarding information being shared.
• FDA considers participation in an ISAO a critical component of
a medical device manufacturers’ comprehensive proactive
approach to management of postmarket cybersecurity
Advantage of ISAO Membership
• Manufactures must report vulnerabilities to
the FDA unless all of the following are met:
– There are no known serious adverse events or
– Manufacturer implements controls within 30 days
– Manufacture is a participating member of an ISAO
Advantage of ISAO Membership
From the guidance:
“Participants in an ISAO can request that their information be
treated as Protected Critical Infrastructure Information. Such
information is shielded from any release otherwise required by
the Freedom of Information Act or State Sunshine Laws and is
exempt from regulatory use and civil litigation if the information
satisfies the requirements of the Critical Infrastructure
Information Act of 2002”
• The Device Manufacturer has responsibility to
implement cybersecurity risk management
programs premarket and postmarket.
• Information sharing is a critical part of
postmarket cybersecurity programs
The FDA now views cybersecurity risks just as
seriously as defective product risks.
Need more Info? Contact Us
For more information please feel free to contact