FDA Cybersecurity Guidance
December 18, 2019

How to Follow FDA Cybersecurity Guidance

Static Analysis
Security & Compliance

The FDA regulates the safety, efficiency, and security of medical devices. And, in an effort to improve the quality of care, medical devices are now being connected to the internet, hospital networks, and other medical devices. Unfortunately, medical devices can and often do have cybersecurity vulnerabilities.

This means that software that used to be secure from cyberthreats have become vulnerable to cyberattacks as medical devices continue to be integrated into the Internet of Things (IoT). In fact, 93% of healthcare organizations have reported a data breach within the past three years, according to a recent report from Health Leaders. And, the average cost of a data breach is $423 per record or nearly $4 billion by the end of 2019.

For that reason, it is essential that your medical devices are compliant with the FDA cybersecurity guidance. Static application security testing (SAST) tools — like a static code analyzer — are essential to ensuring that your code cannot be exploited by cyberthreats.

This blog outlines FDA cybersecurity guidance and examines how to achieve secure medical device development through best practices and SAST tools.

What are FDA Cybersecurity Guidelines

In 2018, the FDA published a draft of its latest cybersecurity guidance. The guidance helps developers ensure that their medical devices are safe and secure. Following the guidance also increases the likelihood of a device meeting FDA clearance.

While the FDA cybersecurity guidance provides instructions for a wide variety of medical devices, the most essential to embedded devices include the following:

  • Provide documentation related to design controls. Specifically, documentation on design validation, software validation, and risk analysis.
  • Ensure that all incoming data is not modified in transit or at rest. And, that it is compliant with the specifications.
  • Use industry-accepted best practices to maintain and verify the integrity of code while it is being executed by the device.
  • Design should ensure that the medical device can detect and respond to cybersecurity risks. This includes the need for cybersecurity updates and patches as well as emergency workarounds.
  • Implement medical device features that protect critical functionality and data, even when the device’s cybersecurity has been compromised.

As establishing an effective cybersecurity process can be difficult, the FDA has also published a medical device cybersecurity fact sheet to help answer some frequently asked questions.

How to Implement Secure Medical Device Development

Complying with FDA cybersecurity guidelines is only one aspect of secure medical device development. While there are several practices that support cybersecurity, the most relevant to medical device software development includes the following:

Employ a Risk-based Development Strategy

Under the new FDA cybersecurity guidelines, a medical device will be classified as either:

  • Tier 1,which includes connected devices that could greatly impact patient care if they were compromised by a cyberattack.
  • Tier 2, which includes all other devices that cannot be classified as Tier 1.

For both Tiers, software development teams will need to:

  • Conduct thorough risk assessments to identify vulnerabilities in the code, and understand the potential impact that each could have.
  • Address security vulnerabilities.
  • Implement design controls to ensure security.
  • Establish data integrity requirements.

Risk-based practices should be a part of the development process from the beginning. That way, risks are addressed as they arise rather than after the device has been released.

Establish a Secure Development Lifecycle

Secure development lifecycle (SDL) is a software development process intended to reduce software maintenance costs and increase software security. The standard SDL is organized into the following phases:

  • Requirements
    In the Requirements Phase, security best practices are integrated into the product. These practices could include industry standards, coding standards, or from historic data.
  • Design
    The Design Phase often involves threat modeling to thoroughly examine how a feature or system could be compromised by cyberthreats. Based upon each of those potential threats, solutions are then included in the design.
  • Implementation
    The Implementation Phase simply involves writing the source code. Often secure coding guidelines — such as MISRA and CERT — are used to help define what is expected of the code. And, SAST tools — such as a static code analyzer — are often used to help identify potential vulnerabilities in the source code.
  • Test
    The Test Phase involves completely security functional test plans, running vulnerability scanning, and conducting penetration testing.
  • Release/Response
    The Release/Response Phase simply involves the device being released, and addressing any problems as succinctly and efficiently as possible.

Use Software Development and SAST Tools

A static code analyzer — like Klocwork — is an essential SAST tool that can help to ensure that there are no gaps in a medical device’s cybersecurity and demonstrate that the project has been compliant with FDA cybersecurity guidelines throughout the software development lifecycle.

Static code analyzers inspect your source code to find potential quality and security issues. During these inspections, the tool will identify programming errors, coding standard violations, and security weaknesses. With Klocwork, you are able to apply and enforce coding guidelines — such as CERT and CWE — to ensure that your medical devices and software are protected against cyberthreats. This makes the SAST tool invaluable to ensure that your projects stay in compliance with FDA cybersecurity guidelines throughout your software development lifecycle.

In addition, static code analyzers provide medical device software developers with the following benefits:

  • Detecting code vulnerabilities, compliance issues, and rule violations earlier in development (and accelerating code reviews/manual testing efforts).
  • Enforcing industry and coding standards.
  • Reporting on compliance over time and across product versions.

See How Klocwork Can Help

See how Klocwork can help you develop medical devices with an effective cybersecurity process. Request a trial to learn firsthand how much of a difference the SAST tool can make to your software development process.

Achieve Cybersecurity With Klocwork