Medical Device Cybersecurity Draft Guidance Explainer Series Part 2 of 3 – Security Architecture 

Eight years after the publication of the ‘
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’ in 2014, the FDA issued a new draft guidance document on April 8th, 2022. The draft guidance describes the security steps that a medical device manufacturer should take when making a premarket submission. To learn more, you can check out this blog post which details what’s involved and the implications for medical device manufacturers.  

In terms of cybersecurity, the new draft guidance is broken into three key sections:  

                    1. Security Risk Management, which amongst other things mentions the use of threat modelling, SBOMS and security assessment of unresolved anomalies.
                    2. Security Architecture, which discusses the implementation of security architecture controls and secure architecture views.
                    3. Cybersecurity Testing, which looks closely at security requirements, threat mitigation, vulnerability testing, and penetration testing.   

To allow medical device manufacturers to better understand the contents of the 49-page document, Nova Leah decided to run a 3-part explainer series. In the
first of this series we introduced some of the recommended security risk management protocols. Now, we will take a closer look at Part B – Security Architecture. 

Security Architecture 

While security architecture can be defined in a number of ways, fundamentally it is a set of security principles, methods and models designed to keep your organization, medical devices and your patients safe. 

Cybersecurity architecture combines security software and appliance solutions, and is the foundation of protecting a device from cybersecurity attacks. Effective cybersecurity relies upon security being “built-in” to a device, and not “bolted-on” afterwards. However, one’s cybersecurity architecture should be able to adapt to an ever-evolving threat landscape. 

Within the draft guidance document, the following is said about security architecture: 

“Manufacturers are responsible for identifying cybersecurity risks in their devices and the systems in which they expect those devices to operate and implementing the appropriate controls to mitigate those risks.  

A security architecture, like a system architecture, defines the system and all end-to-end connections in or out of the system. A security architecture definition process includes both high-level definitions of the devices and/or systems that interact, and detailed information on the implementations for how those interactions occur and are secured. It contains information that demonstrates that the risks considered during the risk management process are adequately controlled, which, in turn, supports the demonstration of the safety and effectiveness of the medical device system.” 

Security Architecture Recommendations 

Within the draft guidance document, the FDA provides the following recommendations related to security architecture: 

                      • Premarket submissions should include documentation on the security architecture. The objective here is to provide the security context and trust boundaries of the system in terms of its interfaces, interconnections, and interactions with external entities.  
                      • Plans and procedures related to security architecture should include design processes, design requirements, and acceptance criteria.
                      • Medical device manufactures should analyse the entire system in order to fully understand the environment and context in which the device operates.
                      • Security controls are an integral part of an SPDF. FDA recommends that an adequate set of security controls should include: Authentication, Authorization, Cryptography, Code, Data, and Execution Integrity, Confidentiality, Event Detection and Logging, Resiliency and Recovery, and Updatability and Patchability. 

Understanding Security Architecture Views 

The draft guidance outlines how a medical device manufacturer should document the security architecture through the use of security architecture views. These views are essentially ways in which information is presented within your premarket submission.  

FDA recommends manufacturers develop and maintain security architecture view documentation as a part of the process for the design, development and maintenance of the system. 

FDA recommends providing the following types of views in premarket submissions: 

                      • Global System View: A global system view should describe the overall system, including the device itself and all internal and external connections. For interconnected and networked devices, this view should identify all interconnected elements, including any software update infrastructure(s), health care facility network impacts, intermediary connections or devices, cloud connections, etc.  
                      • Multi-Patient Harm View: When devices are capable of connecting to another medical product or to the Internet, there is the possibility that multiple devices can be compromised simultaneously. Knowing this may change the device’s intended use and the way in which the system responds to potential threats.  
                      • Updatability/Patchability View:  With the need to provide timely, reliable updates to devices incredibly important, FDA recommends that manufacturers provide an updatability and patchability view. This view should describe the end-to-end process that permits software updates and patches to be provided to the device. 
                      • Security Use Case View(s): In addition to the views identified above, security use case views should also be provided. Security use cases should be included for all system features within which a security compromise could impact the safety or effectiveness of the device.  

IMDRF’s Principles and Practices for Medical Device Cybersecurity

In 2020, The International Medical Device Regulators Forum (IMDRF) published guidance on the
Principles and Practices for Medical Device Cybersecurity.  The document examines general principles and practices for device cybersecurity. It seeks to help stakeholders to better comprehend security risks and to better protect their medical devices.  

In terms of security architecture, this document underscores the need to address cybersecurity threats at the design stage. As we mentioned above, security should be “built-in” to a device, and not “bolted-on” afterwards. A table within the IMDRF documents some design principles that medical device manufacturers should consider in designing their product. These include: 

                        • Secure Communications – the manufacturer should consider how a device interacts with other devices and networks. 
                        • Data Protection – the manufacturer should consider encryption and other confidentiality risk control measures.  
                        • Device integrity – the manufacturer should consider controls such as anti-malware and how modifications are carried out to the device software.  
                        • User Authentication – the manufacturer should consider user access controls that validate who can use the device or grant permissions to use the device. 
                        • Software Maintenance the manufacturer should consider how updates are carried out and what connections are required to carry out updates.
                        • Physical Access the manufacturer should consider controls to prevent an unauthorized person from accessing the device. 
                        • Reliability and Availability the manufacturer should consider design features that allow the device to detect, resist, respond and recover from cybersecurity attacks. 

Within the new draft guidance, the FDA point users to this IMDRF document for additional information. At Nova Leah, we recommend that all medical device manufacturers familiarize themselves with this document also. 

SelectEvidence® And Security Architecture  

SelectEvidence® is an expert cybersecurity risk assessment platform from Nova Leah that guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks.  

Establishing a secure design architecture is at the core of SelectEvidence’s functionality. By easily integrating threat modeling with risk management and evaluation, an automated and phased security-by-design lifecycle is achievable.

To learn more about SelectEvidence, and its role in security risk management, you can organize an obligation-free demonstration here.   

Cybersecurity Draft Guidance Series

Introduction – FDA Publishes Draft Guidance on Medical Device Cybersecurity (Pre-Market) 

Explainer Series Part 1 of 3 – Medical Device Cybersecurity Draft Guidance Explainer Series – Security Risk Management

Explainer Series Part 2 of 3 – Medical Device Cybersecurity Draft Guidance Explainer Series – Security Architecture 

Explainer Series Part 3 of 3 – Medical Device Cybersecurity Draft Guidance Explainer Series – Cybersecurity Testing

Cybersecurity Draft Guidance – Read the new draft guidance in full.