Comply with FDA Device Security Requirements
Introduction
On September 27, 2023, the Food and Drug Administration (FDA) finalized it's cybersecurity guidance for medical devices titled, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (link (opens in a new tab)). Medical devices under review for FDA clearance use the published guidance as a framework to demonstrate that effective policies and processes will be in place to maintain security throughout the devices product lifecycle. The following table is intended to help organizations trace their own internal practices to the controls defined by the FDA.
Table of Controls
The following table maps all current FDA cybersecyrity documents and they controls they require.
ID | Category | FDA Requirement | Regulatory Mapping |
---|---|---|---|
1 | Authentication | Avoid the use of implicit authentication mechanisms (ie. trusted IP addresses and handshakes that do not rely on cryptographic secrets). | US FDA 2023 - Premarket |
2 | Authentication | Use cryptographic authentication protocols | US FDA 2023 - Premarket |
3 | Authentication | Use cryptographically strong authentication, where the authentication functionality resides on the device, to authenticate personnel, messages, commands updates, and as applicable, all other communication pathways. Hardware-based security solutions should be considered and employed when possible | US FDA 2023 - Premarket |
4 | Authentication | Authenticate external connections at a frequency commensurate with the associated risks. For example, if a device connects to an offsite server, then the device and the server should mutually authenticate each session and limit the duration of the session, even if the connection is initiated over one or more existing trusted channels. | US FDA 2023 - Premarket |
5 | Authentication | Use appropriate user authentication (e.g., multi-factor authentication to permit privileged device access to system administrators, service technicians, or maintenance personnel, among others, as needed) | US FDA 2023 - Premarket |
6 | Authentication | Require authentication, and authorization in certain instances, before permitting software or firmware updates, including those updates affecting the operating system, applications, and anti-malware functionality | US FDA 2023 - Premarket |
7 | Authentication | Strengthen password protections. Do not use passwords that are hardcoded, default, easily guessed, or easily compromised (e.g., passwords that are the same for each device; unchangeable; can persist as default; difficult to change; and/or vulnerable to public disclosure) | US FDA 2023 - Premarket |
8 | Authentication | Implement anti-replay measures in critical communications such as potentially harmful commands. This can be accomplished with the use of several methods including the use of cryptographic nonces (an arbitrary number used only once in a cryptographic communication) | US FDA 2023 - Premarket |
9 | Authentication | Provide mechanisms for verifying the authenticity of information originating from the device, such as telemetry. This is especially important for data that, if spoofed or otherwise modified, could result in patient harm, such as the link between a clinician programmer or monitoring device and an implanted device like a pacemaker, defibrillator, or neurostimulator; or the link between a continuous glucose monitor system and an automated insulin pump | US FDA 2023 - Premarket |
10 | Authentication | Do not rely on cyclic redundancy checks (CRCs) as security controls. CRCs do not provide integrity or authentication protections in a security environment. While CRCs are an error detecting code and provide integrity protection against environmental factors (e.g., noise or EMC), they do not provide protections against an intentional or malicious actor | US FDA 2023 - Premarket |
11 | Authentication | Consider how the device and/or system should respond in event of authentication failure(s) | US FDA 2023 - Premarket |
12 | Authorization | Limit authorized access to devices through the authentication of users (e.g., user ID and password, smartcard, biometric, certificates, or other appropriate authentication method) | US FDA 2023 - Premarket |
13 | Authorization | Use automatic timed methods to terminate sessions within the medical device system where appropriate for the use environment | US FDA 2023 - Premarket |
14 | Authorization | Employ an authorization model that incorporates the principle of least privileges by differentiating privileges based on the user role (e.g., caregiver, patient, healthcare provider, system administrator) or device functions | US FDA 2023 - Premarket |
15 | Authorization | Design devices to “deny by default” (i.e., that which is not expressly permitted by a device is denied by default). For example, the device should generally reject all unauthorized connections (e.g., incoming TCP, USB, Bluetooth, serial connections). Ignoring requests is one form of denying authorization. | US FDA 2023 - Premarket |
16 | Cryptography | Select industry-standard cryptographic algorithms and protocols, and select appropriate key generation, distribution, management and protection, as well as robust nonce mechanisms. | US FDA 2023 - Premarket |
17 | Cryptography | Use current NIST recommended standards for cryptography (e.g., FIPS 140-3, NIST Suite B), or equivalent-strength cryptographic protection that are expected to be considered cryptographically strong throughout the service life of the device. Manufacturers should not implement cryptographic algorithms that have been deprecated or disallowed in applicable standards or best practices (e.g., NIST SP 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths). Implementation of algorithms with a status of “legacy use” should be discussed with FDA during a pre-submission meeting | US FDA 2023 - Premarket |
18 | Cryptography | Design a system architecture and implement security controls to prevent a situation where the full compromise of any single device can result in the ability to reveal keys for other devices. For example, avoid using master-keys stored on device, or key derivation algorithms based solely on device identifiers or other readily discoverable information. | US FDA 2023 - Premarket |
19 | Cryptography | Implement cryptographic protocols that permit negotiated parameters/versions such that the most recent, secure configurations are used, unless otherwise necessary | US FDA 2023 - Premarket |
20 | Cryptography | Do not allow downgrades, or version rollbacks, unless absolutely necessary for safety reasons, and log and document the event. Downgrades can allow attackers to exploit prior, less protected versions and should be avoided | US FDA 2023 - Premarket |
21 | Code, Data, and Execution Integrity | Hardware-based security solutions should be considered and employed when possible | US FDA 2023 - Premarket |
22 | Code, Data, and Execution Integrity | Authenticate firmware and software. Verify authentication tags (e.g., signatures, message authentication codes (MACs)) of software/firmware content, version numbers, and other metadata. The version numbers intended to be installed should themselves be signed or have MACs. Devices should be electronically and visibly identifiable (e.g., Unique device identifier (UDI), model number, serial number); | US FDA 2023 - Premarket |
23 | Code, Data, and Execution Integrity | Allow installation of cryptographically authenticated firmware and software updates, and do not allow installation where such cryptographic authentication either is absent or fails | US FDA 2023 - Premarket |
24 | Code, Data, and Execution Integrity | Ensure that all software and firmware on the device is protected from unauthorized access, modification, and deletion, regardless of whether the software and firmware resides within a virtual private network (VPN) or on the cloud. Maintain all software and firmware in a secure environment and perform routine security updates. Encrypt all software updates prior to transmission. | US FDA 2023 - Premarket |
25 | Code, Data, and Execution Integrity | Ensure that all software/firmware changes are tracked and that the appropriate personnel review and approve these changes prior to implementation. Software or firmware changes that are not approved should not be allowed to execute. A cryptographic mechanism such as digital signatures should be used to ensure software/firmware integrity (e.g., during updates or during execution) and to confirm that the software/firmware originates from a known source, is up-to-date, and has not been tampered with | US FDA 2023 - Premarket |
26 | Code, Data, and Execution Integrity | Provide secure coding guidance to developers (e.g., guidance from the FDA, NIST, ISO, IEEE, etc.) and encourage compliance with industry-recognized secure coding standards. Review the software design and coding process for security vulnerabilities, especially those resulting from faulty design, implementation, or integration | US FDA 2023 - Premarket |
27 | Code, Data, and Execution Integrity | Implement and maintain secure software development lifecycle practices throughout the entire lifecycle of the device (e.g., requirements definition, design, implementation, verification, maintenance, and retirement) | US FDA 2023 - Premarket |
28 | Code, Data, and Execution Integrity | Incorporate security features into the design of the device, such as data execution prevention (DEP), address space layout randomization (ASLR), and stack overflow protections. These protections are intended to mitigate the risk of common software security vulnerabilities. | US FDA 2023 - Premarket |
29 | Code, Data, and Execution Integrity | Use hardware features designed to support security in depth, such as trusted platform modules (TPMs), secure enclaves, and hardware root of trust | US FDA 2023 - Premarket |
30 | Code, Data, and Execution Integrity | Design and implement software/firmware updates to be secure by design. Ensure that updates can be verified for integrity, that they are resistant to man-in-the-middle attacks, and that updates are obtained from an authenticated source. Consider using secure boot mechanisms and encrypted channels for secure software/firmware updates | US FDA 2023 - Premarket |
31 | Code, Data, and Execution Integrity | Implement runtime integrity protections to detect and prevent unauthorized changes to critical files, settings, and configurations. For example, deploy integrity monitoring solutions that can detect unauthorized changes to files, registry settings, and configuration parameters, and generate alerts or take other appropriate actions (e.g., halt, notify administrator) | US FDA 2023 - Premarket |
32 | Code, Data, and Execution Integrity | Employ controls to protect against rollback of software/firmware updates to a less secure version. For example, use cryptographic hashes or signatures to ensure that software/firmware updates have not been tampered with and that only signed updates are accepted and applied | US FDA 2023 - Premarket |
33 | Code, Data, and Execution Integrity | Implement measures to mitigate the risk of supply chain compromises, including tamper-evident packaging, supply chain visibility, and vetting of suppliers | US FDA 2023 - Premarket |
34 | Code, Data, and Execution Integrity | Ensure that all components, including open source and third-party software, are kept up-to-date with the latest security patches and updates. Establish a process for monitoring and applying patches and updates in a timely manner | US FDA 2023 - Premarket |
35 | Code, Data, and Execution Integrity | Ensure that code, data, and execution integrity mechanisms function properly throughout the lifecycle of the device. Test these mechanisms during design verification, validation, and during routine maintenance | US FDA 2023 - Premarket |
36 | Code, Data, and Execution Integrity | Develop a response plan for addressing vulnerabilities discovered post-market and take appropriate corrective actions to mitigate risk, which may include software patches, firmware updates, or other remediation measures. Ensure that post-market vulnerability assessments and remediation efforts follow a risk-based approach | US FDA 2023 - Premarket |
37 | Confidentiality | Ensure that sensitive data is encrypted both in transit and at rest using industry-standard encryption algorithms (e.g., AES, RSA, ECC) and appropriate key management practices | US FDA 2023 - Premarket |
38 | Confidentiality | Protect the confidentiality of sensitive data (e.g., patient information, device configurations, system logs) through access controls, encryption, and other appropriate means. Limit access to sensitive data to only those users and systems that require it for legitimate purposes | US FDA 2023 - Premarket |
39 | Confidentiality | Implement logging mechanisms to record access to sensitive data, security-related events, and other relevant activities. Ensure that logs are protected from unauthorized access, tampering, and deletion. Periodically review and analyze logs for indications of security incidents, unauthorized access, or other anomalies | US FDA 2023 - Premarket |
40 | Confidentiality | Provide a mechanism to allow authorized users (e.g., system administrators, healthcare providers) to access audit logs for review and analysis. Ensure that audit logs capture key security events (e.g., logins, failed login attempts, privilege changes, configuration changes, critical system events) | US FDA 2023 - Premarket |
41 | Confidentiality | Limit the collection, storage, and transmission of personally identifiable information (PII) and other sensitive data to only what is necessary for the intended purpose of the device. Encrypt any stored or transmitted PII or sensitive data | US FDA 2023 - Premarket |
42 | Confidentiality | Implement appropriate access controls and authorization mechanisms to prevent unauthorized access to sensitive data. Enforce the principle of least privilege by granting users only the access necessary to perform their authorized functions | US FDA 2023 - Premarket |
43 | Confidentiality | Encrypt communication channels to prevent eavesdropping, tampering, and other unauthorized access. Use secure protocols (e.g., TLS) and strong cryptographic algorithms to protect data in transit | US FDA 2023 - Premarket |
44 | Confidentiality | Protect sensitive data (e.g., PHI, PII) stored in the cloud by implementing appropriate security controls (e.g., encryption, access controls, data masking) | US FDA 2023 - Premarket |
45 | Confidentiality | Ensure that cloud service providers (CSPs) comply with applicable security and privacy regulations (e.g., HIPAA, GDPR) and provide assurances of compliance through contractual agreements, certifications, and third-party audits | US FDA 2023 - Premarket |
46 | Integrity | Use digital signatures, message authentication codes (MACs), or other cryptographic mechanisms to ensure the integrity of transmitted data, including commands, configuration data, and updates | US FDA 2023 - Premarket |
47 | Integrity | Protect against unauthorized modification of critical configuration settings, parameters, and other data that could affect the safety, effectiveness, or performance of the device. This includes preventing unauthorized changes to software, firmware, and hardware configurations | US FDA 2023 - Premarket |
48 | Integrity | Validate input data to ensure that it is well-formed, valid, and within acceptable ranges. Implement input validation controls to prevent buffer overflows, SQL injection, cross-site scripting (XSS), and other common attack vectors | US FDA 2023 - Premarket |
49 | Integrity | Employ integrity checks and checksums to detect unauthorized changes to firmware, software, and critical data. Perform regular integrity checks during operation and upon startup to ensure that the device has not been tampered with or compromised | US FDA 2023 - Premarket |
50 | Integrity | Implement controls to ensure the integrity of critical processes, including those related to device operation, data handling, and system configuration. These controls should prevent unauthorized access, tampering, and other forms of interference | US FDA 2023 - Premarket |
51 | Integrity | Use secure boot mechanisms to ensure that only trusted and authenticated firmware/software is loaded and executed on the device. Validate the integrity of firmware/software during the boot process and refuse to boot if the integrity checks fail | US FDA 2023 - Premarket |
52 | Integrity | Use hardware features such as secure boot, secure enclave, and hardware root of trust to protect against unauthorized modifications to firmware and critical system components | US FDA 2023 - Premarket |
53 | Integrity | Employ runtime integrity protections to detect and prevent unauthorized changes to critical files, settings, and configurations. Implement integrity monitoring solutions that can detect and respond to unauthorized changes in real-time | US FDA 2023 - Premarket |
54 | Integrity | Use cryptographic mechanisms to ensure the integrity of data stored in non-volatile memory (e.g., flash memory, EEPROM). Implement protections to prevent unauthorized modifications to stored data, including encryption, digital signatures, and access controls | US FDA 2023 - Premarket |
55 | Non-repudiation | Implement mechanisms to ensure the integrity and authenticity of data generated by the device, such as timestamps, digital signatures, and cryptographic hashes. These mechanisms should be used to provide non-repudiation, ensuring that the origin and integrity of data can be verified and attributed to specific sources | US FDA 2023 - Premarket |
56 | Non-repudiation | Ensure that audit logs and other records of device activity are tamper-evident and resistant to modification. Use cryptographic techniques to protect the integrity of logs and to provide evidence of tampering or unauthorized access | US FDA 2023 - Premarket |
57 | Non-repudiation | Implement controls to prevent the deletion, alteration, or tampering of audit logs and other records of device activity. Log entries should be time-stamped, and changes to logs should be logged and reviewed | US FDA 2023 - Premarket |
58 | Non-repudiation | Ensure that audit logs capture key security events (e.g., logins, failed login attempts, privilege changes, configuration changes, critical system events). Implement mechanisms to detect and respond to suspicious or anomalous behavior | US FDA 2023 - Premarket |
59 | Non-repudiation | Provide a mechanism for authorized users (e.g., system administrators, healthcare providers) to review and analyze audit logs. Implement access controls to restrict access to audit logs to authorized personnel | US FDA 2023 - Premarket |
60 | Non-repudiation | Use cryptographic techniques to provide non-repudiation for device commands and actions. Digital signatures and other cryptographic mechanisms should be used to ensure that commands and actions can be attributed to specific users or entities | US FDA 2023 - Premarket |
61 | Resilience | Implement resilience measures to ensure continued device functionality in the event of component failures, network interruptions, or other adverse conditions. This may include redundancy, failover mechanisms, and graceful degradation of non-essential services | US FDA 2023 - Premarket |
62 | Resilience | Design devices to recover gracefully from unexpected faults, errors, and exceptions. Implement error handling and recovery mechanisms to mitigate the impact of software bugs, hardware failures, and other faults | US FDA 2023 - Premarket |
63 | Resilience | Ensure that critical device functions (e.g., therapeutic delivery, patient monitoring) continue to operate correctly in the event of software or firmware failures. Implement safety-critical software in accordance with relevant standards (e.g., IEC 62304, ISO 14971) and perform thorough testing to validate safety and reliability | US FDA 2023 - Premarket |
64 | Resilience | Implement robust error detection and correction mechanisms to prevent or mitigate data corruption, transmission errors, and other forms of data loss or degradation. Use error checking and correction (ECC) codes, checksums, and other techniques to detect and correct errors in data transmission and storage | US FDA 2023 - Premarket |
65 | Resilience | Use redundant and diverse communication pathways (e.g., wired, wireless, cellular) to ensure continued connectivity in the event of network failures or disruptions. Implement failover mechanisms to automatically switch to alternate communication channels if primary channels become unavailable | US FDA 2023 - Premarket |
66 | Resilience | Employ backup and recovery mechanisms to protect against data loss and corruption. Regularly backup critical data and configurations, and test backup and recovery procedures to ensure their effectiveness. Store backups in a secure location, separate from the primary data storage, to prevent loss due to disasters or other catastrophic events | US FDA 2023 - Premarket |
67 | Resilience | Implement mechanisms to detect and respond to abnormal system behavior, such as resource exhaustion, memory leaks, and process crashes. Use monitoring tools and diagnostic capabilities to identify and troubleshoot issues before they impact device functionality | US FDA 2023 - Premarket |
68 | Resilience | Design devices to be modular and easily upgradeable to accommodate future enhancements and changes. Implement hot-swappable components and interfaces to minimize downtime during maintenance and upgrades | US FDA 2023 - Premarket |
69 | Resilience | Conduct thorough risk assessments and hazard analyses to identify potential failure modes, their impact on device performance, and mitigation strategies. Use failure mode and effects analysis (FMEA) and other risk management techniques to prioritize risks and develop resilience measures | US FDA 2023 - Premarket |
70 | Resilience | Establish a robust incident response plan to address security breaches, device failures, and other adverse events. Define roles and responsibilities, escalation procedures, and communication protocols for responding to incidents in a timely and effective manner | US FDA 2023 - Premarket |
71 | Transparency and Traceability | Provide transparent and accurate information about device security features, capabilities, and limitations to users, healthcare providers, regulators, and other stakeholders. Include security-related information in user manuals, labeling, and other documentation provided with the device | US FDA 2023 - Premarket |
72 | Transparency and Traceability | Maintain records of security-related activities, including security testing, vulnerability assessments, and remediation efforts. Keep documentation of security controls, configurations, and security incidents for auditing and regulatory purposes | US FDA 2023 - Premarket |
73 | Transparency and Traceability | Engage in proactive communication with customers and stakeholders regarding security vulnerabilities, patches, updates, and other security-related information. Establish channels for reporting security incidents, vulnerabilities, and concerns, and respond to reports in a timely and transparent manner | US FDA 2023 - Premarket |
74 | Transparency and Traceability | Provide clear and concise security advisories and alerts to inform users and administrators about security vulnerabilities, patches, updates, and other relevant information. Make security advisories readily accessible through multiple channels (e.g., websites, email notifications, social media) | US FDA 2023 - Premarket |
75 | Transparency and Traceability | Maintain a comprehensive inventory of all software and hardware components used in the device, including third-party libraries and dependencies. Keep records of version numbers, patch levels, and other relevant information to facilitate vulnerability management and risk assessment | US FDA 2023 - Premarket |
76 | Transparency and Traceability | Collaborate with regulators, industry groups, and other stakeholders to share information and best practices for medical device security. Participate in working groups, standards development organizations, and other forums to contribute to the advancement of medical device cybersecurity | US FDA 2023 - Premarket |
77 | Transparency and Traceability | Maintain accurate and up-to-date documentation for the device, including design specifications, security architecture, threat models, risk assessments, and security testing reports. Make documentation available to authorized users, regulators, and other stakeholders upon request | US FDA 2023 - Premarket |
78 | Transparency and Traceability | Provide mechanisms for reporting security vulnerabilities and concerns to the manufacturer, regulatory authorities, and other relevant organizations. Establish clear channels for receiving and triaging reports, and respond to reports in a timely and responsible manner | US FDA 2023 - Premarket |
79 | Transparency and Traceability | Implement procedures for reviewing and assessing third-party products and services used in the development and operation of the device. Evaluate the security posture of third-party vendors and conduct due diligence to ensure that they meet security requirements and standards | US FDA 2023 - Premarket |
80 | Transparency and Traceability | Conduct regular security assessments and audits to evaluate the effectiveness of security controls, identify vulnerabilities, and validate compliance with security requirements and standards. Use the results of assessments to improve security posture and mitigate risks | US FDA 2023 - Premarket |
81 | Usability | Design devices to be intuitive and easy to use, with clear and consistent user interfaces. Incorporate human factors engineering principles to optimize usability and minimize user errors | US FDA 2023 - Premarket |
82 | Usability | Provide user training and education to ensure that users understand how to operate the device safely and securely. Develop user manuals, training materials, and other educational resources to support users in learning and using the device effectively | US FDA 2023 - Premarket |
83 | Usability | Implement access controls and authorization mechanisms that balance security requirements with usability. Ensure that users can access the functions and information they need to perform their tasks without unnecessary barriers or impediments | US FDA 2023 - Premarket |
84 | Usability | Use clear and informative error messages to communicate with users in the event of errors, warnings, or other system events. Provide guidance on how to resolve issues and take appropriate actions | US FDA 2023 - Premarket |
85 | Usability | Incorporate feedback mechanisms to gather input from users and stakeholders about device usability, performance, and security. Use feedback to identify areas for improvement and inform future iterations of the device | US FDA 2023 - Premarket |