What should my cybersecurity management plan entail?

"The future of cybersecurity is not in building higher walls but in building smarter systems that can adapt and learn from each new challenge".

-Dan Schulman, CEO of Paypal

FDA risk mitigation overview

This is not intended to be an exhaustive list. We recommend that you consult FDA resources to plan and implement better risk mitigation strategies.

According to the FDA, you must have a strategy for identifying, monitoring, and addressing cybersecurity vulnerabilities and potential exploits, a plan for addressing vulnerability disclosures and for establishing incident response protocols, as well as a plan for post-market updates and patches on a routine basis.

They also require that you report major cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the incident. For ransomware payment cyber attacks, you have 24 hours to report this to CISA.

"The pace of technological change requires us to rethink our strategies for security, and embrace a proactive, not reactive, mindset."

-Bruce Schnier

FDA 2014 premarket cybersecurity guidelines

The FDA 2014 Premarket Cybersecurity Guidance recommended that manufacturers provide the following:

• Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:

  • A specific list of all cybersecurity risks that were considered in the design of your device;

  • A specific list and justification for all cybersecurity controls that were established for your device.

• A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered.

It also recommends managing the device postmarket and providing the plans as part of the premarket submission in Section 6, Items 3 and 4.

• Plan for continuing support: How your company will monitor and maintain cybersecurity

• Plan for malware-free shipping: How your company will ensure malware isn’t introduced in the manufacturing process or while devices are being updated in the field.

Managing postmarket cybersecurity in medical devices

Device labeling

You should also address labeling as part of your cybersecurity program, including device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., antivirus software, use of firewall). This should be consistent with your risk controls, including any configuration on the computer or platform (e.g., popup blocker recommendation). It should also include instructions to ensure the safe and effective use of the device, including interfaces and functionality, security controls that the user interacts with (e.g., password, software updates, etc.), your Manufacturer Disclosures Statement for Medical Device Security (if you provide it to customers), also called MDS2., your SBOM (if you provide it to customers), and logging capabilities and forensic log capture.

Create your cybersecurity strategy

This list isn't exhaustive, but should help you get started on created your cybersecurity strategy.

1. Understand the regulatory requirements for medical devices

2. Choose encryption tools

3. Determine encryption algorithms

4. Key management

5. Auditing data

6. Speed of the encryption

7. Consider hardware resource constraints

What does a medical device encompass?

"The definition of a medical device encompasses not only capital equipment, but also surgical instruments, patient monitoring, and even software. The breadth and variety of the field, combined with the critical importance of med devices to life and safey, requires a deliberate, focused approach to cybersecurity to ensure that they are resilient throughout their lifecycle."

-Nancy Brainerd (CISSP/CIPP), Senior Director of Product Security

Common risks to be aware of