New FDA Pre-Market Submission Guidelines for Cybersecurity in Medical Devices - Part II

New FDA Pre-Market Submission Guidelines for Cybersecurity in Medical Devices - Part II

March 11, 2019 | Posted by Ben Trombold

Our first topic concerns classification of medical devices according to the new FDA guidance. Two separate tiers of classification are described:

  • Tier 1 – Higher Cybersecurity Risk
    • The device is capable of connecting (wired or wireless) to another medical or non-medical product, to a network, or to the internet AND
    • A cybersecurity incident affecting the device could directly result in patient harm to multiple patients, e.g. scaled attacks, which means an attack on one device that exposes information in order to attack a larger set of devices
  • Tier 2 – Standard Cybersecurity Risk
    • A medical device for which criteria for a tier 1 device are not met, AKA “everything else”

It should be noted that these cybersecurity tiers have nothing to do with any other type of classification of safety or risk as it pertains to a medical device or software. When evaluating whether a device is Tier 1 or 2, the first question should be “does the device have any form of connectivity over any medium to any other device, medical or otherwise?” Most products made in the last 20 years do. Yes, smartphones count! So do custom devices. Although the device itself may not directly connect to the internet, if it communicates with any device, it does count toward Tier 1 classification.

The next Tier 1 identifying question is, “can the device be manipulated to harm a patient? It should be noted that this is not described on some scale of risk, where there is a documented difference between the creation of a blister on a finger and fatalities. Both in this case are considered harm. Very few medical devices are able to say they cannot cause any harm, but for the purposes of being considered a Tier 1, the potential for causing harm to multiple patients must be present. If all of these criteria are not met, then it is a Tier 2 device.

As an example, consider a patient-worn device that communicates via Bluetooth Low Energy to a smartphone, where an app controls device temperature. In order for the device to accept the app’s commands, the app must authenticate itself to the device via credentials common to all instances of the same device model. Under normal operating conditions, the device’s temperature can range between 100 and 170 degrees Fahrenheit

When classifying this device according to the new guidance:

  • This device could cause harm via thermal burns
  • This device communicates with another device via Bluetooth Low Energy
  • Multiple devices could be attacked if the common credentials were exposed

Therefore, it is a Tier 1 device.

This concludes the second part in our series covering the new FDA cybersecurity guidance. Next, we will break down how to design and develop trustworthy devices. If you'd rather not wait, you can download the entire white paper here.

If you would like to be notified of when these posts go live, please sign up for up-to-date email alerts at the right of this page.

To learn more about Christopher Gates and his background in medical devices and cybersecurity.


Get Started On Your Next Project