FDA Cybersecurity Guidelines
December 18, 2019

How to Follow FDA Cybersecurity Guidelines

Static Analysis
Security & Compliance

The FDA is a federal agency that regulates the safety, efficiency, and security of medical devices. And, in an effort to improve the quality of care, medical devices are now being connected to the internet, hospital networks, and other medical devices. Unfortunately, medical devices can and often do have cybersecurity vulnerabilities.

This means that software that used to be secure from cyberthreats have become vulnerable to cyberattacks as medical devices continue to be integrated into the Internet of Things (IoT). In fact, 93% of healthcare organizations have reported a data breach within the past three years, according to a recent report from Health Leaders. And, the average cost of a data breach is $423 per record or nearly $4 billion by the end of 2019.

For that reason, it is essential that your medical devices are compliant with the FDA cybersecurity guidelines. Static application security testing (SAST) tools — like a static code analyzer — are essential to ensuring that your code cannot be exploited by cyberthreats.

Here we explain what are the FDA cybersecurity guidelines and how to achieve secure medical device development through best practices and SAST tools.

What are the FDA Cybersecurity Guidelines?

In 2018, the agency published a draft of its latest FDA cybersecurity guidelines. The guidance helps developers ensure that their medical devices are safe and secure. Following the guidance also increases the likelihood of a device meeting the requirements for clearance.

While the guideline provides instructions for a wide variety of medical devices, the most essential to embedded devices include the following:

  • Provide documentation related to design controls. Specifically, documentation on design validation, software validation, and risk analysis.
  • Ensure that all incoming data is not modified in transit or at rest. And, that it is compliant with the specifications.
  • Use industry-accepted best practices to maintain and verify the integrity of code while it is being executed by the device.
  • Design should ensure that the medical device can detect and respond to cybersecurity risks. This includes the need for cybersecurity updates and patches as well as emergency workarounds.
  • Implement medical device features that protect critical functionality and data, even when the device’s cybersecurity has been compromised.

As establishing an effective cybersecurity process can be difficult, the agency has also published a medical device cybersecurity fact sheet to help answer some frequently asked questions.

How to Follow FDA Cybersecurity Guidelines for Secure Medical Device Development

Complying with guidelines is only one aspect of secure medical device development. While there are several practices that support cybersecurity, the most relevant to medical device software development includes the following:

Employ a Risk-Based Development Strategy for FDA Cybersecurity Guidelines

Under the new guidelines, a medical device will be classified as either:

  • Tier 1,which includes connected devices that could greatly impact patient care if they were compromised by a cyberattack.
  • Tier 2, which includes all other devices that cannot be classified as Tier 1.

For both Tiers, software development teams will need to:

  • Conduct thorough risk assessments to identify vulnerabilities in the code, and understand the potential impact that each could have.
  • Address security vulnerabilities.
  • Implement design controls to ensure security.
  • Establish data integrity requirements.

Risk-based practices should be a part of the development process from the beginning. That way, risks are addressed as they arise rather than after the device has been released.

Follow the 5 Phases of a Secure Development Lifecycle to Help Ensure FDA Cybersecurity Guidelines

Secure development lifecycle (SDL) is a software development process intended to reduce software maintenance costs and increase software security.

The five phases of a standard SDL are:

1. Requirements: In the Requirements Phase, security best practices are integrated into the product. These practices could include industry standards, coding standards, or from historic data.

2. Design: The Design Phase often involves threat modeling to thoroughly examine how a feature or system could be compromised by cyberthreats. Based upon each of those potential threats, solutions are then included in the design.

3. Implementation:The Implementation Phase simply involves writing the source code. Often secure coding guidelines — such as MISRA and CERT — are used to help define what is expected of the code. And, SAST tools — such as a static code analyzer — are often used to help identify potential vulnerabilities in the source code.

4. Test:The Test Phase involves completely security functional test plans, running vulnerability scanning, and conducting penetration testing.

5. Release/Response: The Release/Response Phase simply involves the device being released, and addressing any problems as succinctly and efficiently as possible.

Why You Should Use Software Development and SAST Tools

A static code analyzer — like Klocwork — is an essential SAST tool that can help to ensure that there are no gaps in a medical device’s cybersecurity and demonstrate that the project has been compliant with guidelines throughout the software development lifecycle.

Static code analyzers inspect your source code to find potential quality and security issues. During these inspections, the tool will identify programming errors, coding standard violations, and security weaknesses. With Klocwork, you are able to apply and enforce coding guidelines — such as CERT and CWE — to ensure that your medical devices and software are protected against cyberthreats. This makes the SAST tool invaluable to ensure that your projects stay in compliance with guidelines throughout your software development lifecycle.

In addition, static code analyzers provide medical device software developers with the following benefits:

  • Detecting code vulnerabilities, compliance issues, and rule violations earlier in development (and accelerating code reviews/manual testing efforts).
  • Enforcing industry and coding standards.
  • Reporting on compliance over time and across product versions.

See How Klocwork Can Help Ensure FDA Cybersecurity Guidelines

See how Klocwork can help you develop medical devices with an effective cybersecurity process. Request a trial to learn firsthand how much of a difference the SAST tool can make to your software development process.

Ensure cybersecurity