Internet of Things: FDA Guidance on Designing and Maintaining Secure Wireless Medical Devices (Part II)
In Part I of our two part series on FDA's wireless medical device guidance, we provided a high-level overview of FDA's wireless medical device quality control requirements and summarized the agency's general recommendations to medical device manufacturers (MDMs) for securing wireless medical devices. Here, in Part II, we dive into FDA’s more technical recommendations and concrete suggestions for designing, manufacturing, and maintaining safe wireless medical devices. In an era of enhanced FDA supervision (see Part I for further discussion), wireless medical device manufacturers would be wise to take these "recommendations" and "suggestions" to heart.
2.2 FDA Recommendations for the Selection and Performance of Device Wireless Technology and Frequency of Operation
FDA recommends MDMs select wireless technologies with performance capabilities sufficient to meet the wireless quality of service (QoS) required for the device to function properly. The Guidance notes that this is especially important where a device’s functionality relies heavily on its wireless connection. In these instances, a device’s failure to establish or maintain a wireless connection could have serious consequences for its secure and effective operation. FDA also advises MDMS to pay particular attention to the compatibility between a device’s wireless capabilities and its QoS requirements when a device will operate as a part of a network or in environments where the device’s wireless functions will be highly susceptible to breach (e.g., areas where the device will be in close proximity to many other wireless networks).
To minimize the chances that a device’s wireless performance capabilities are insufficient to meet the device’s QoS requirements, FDA recommends that MDMs assess the following for each of the device’s wireless functions:
- Availability and security of wireless signals used by the device
- Acceptable levels of wireless latency (i.e., the amount of time it takes data to travel from sender to receiver via a wireless link or network connection)
- Acceptable likelihood that information will be lost within the wireless network on which the device resides
In addition, FDA recommends that MDMs consider both the impact and likelihood of wireless interference when choosing a device’s frequency of operation. The Guidance explains that such considerations are often necessary for wireless medical devices, as many operate in RF bands that are not entitled to interference protection under FCC Rules. This interference can lead to the loss or corruption of device data, including critical information about device functionality or even a patient's current physical state. Given this, the FDA suggests MDMs assess:
- International availability and band allocation for medical devices, as the devices often end up serving patients located all over the world (and patients’ geographic locations are not static)
- Whether the device needs to have primary or secondary radio service classification, which depends upon the wireless frequency band you choose
- Incumbent users of the selected and adjacent bands, if any, and how they can impact a medical device’s operation
- Any limitations or restrictions for proper operation and RF wireless performance (e.g., alarms, back-up functions, alternative modes of operation) when the RF wireless link is lost or corrupted
- Whether there are interference mitigating technologies (such as frequency hopping or correction protocols) that can be safely incorporated into the device
Note: The Guidance warns that many commercial “off-the-shelf” RF wireless components and systems have not been adequately tested for use in wireless medical devices. As a result, MDMs must establish procedures and controls to ensure that these components conform to the device’s safety and efficacy requirements before they are integrated into the device.
2.3 FDA Recommendations for Providing Wireless Security Information To Device Users
As MDMs are all too aware, the safe and effective functioning of a medical device is highly dependent upon the manner in which the device is handled and operated by others. As a result, FDA regulations require MDMs to provide appropriate information to assist with proper set-up, configuration, and performance of the wireless medical devices. More specifically, the Guidance recommends MDMs include the following in its user instructions:
- Device RF wireless technology type, its data encryption capabilities and specifications, and the specifications for its frequency of operation
- Information about the needed wireless QoS and security protection specifications for the device’s wirelessly enabled functions
- Information about any limitations on the number, output power, or proximity of other in-band transmitters that might adversely impact a device’s system operation
- Information about the how users can recognize and address issues that might arise concerning the device's wireless functionality
- For devices that MDMs know are likely to be used in environments with many different kinds of wireless transmitters, information about interference mitigating strategies users should deploy (e.g., suggested device settings)
- Information about using RF wireless technology outside the United States, where different allocations and technical parameters may affect the device’s functionality
Note: FDA seems poised to provide heavy scrutiny of the breadth and quality of information MDMs provide to wireless medical device users re: device safety. The Guidance lists misuse of a device due to “lack of or inadequate instructions for use” as a wireless-related hazard of wireless medical devices, and also calls provision of adequate information an important element in ensuring the efficacy and safety of an MDM. Given this, MDMs may want to review the wireless security information they provide to device users, and make any revisions necessary to ensure that this information is complete and user-friendly.
2.4 FDA Recommendations for Wireless Device Maintenance
Under FDA regulation 21 CFR 820.100(a), MDMs must have a mechanism for collecting and analyzing trends in complaints and reports of device failure, including reports of erratic or unexpected device behavior. The Guidance notes that the following activities qualify as “erratic” or unexpected device behavior:
- Reprogramming of stimulation devices
- Commands missed or misinterpreted by operating room controllers
- Unexplained inconsistencies of an infusion pump
- Failure to activate alarm signals in alarm conditions
As noted in Part I, an MDM that identifies a RF wireless malfunction must investigate the cause of the problem and take action to correct it and prevent its recurrence. FDA also recommends that the MDM conduct an assessment of other product lines that use similar designs or are subject to similar environments to determine whether corrective and preventive actions are needed for those products as well.
3.0 Premarket Submission Cybersecurity Documentation Recommendations
MDMs must also be able to provide documentation of each wireless device security specification and quality control measure that they have adopted with their pre-market submissions to the FDA. Specifically, MDMs' pre-market submissions must include a description of:
- How the wireless device’s design functions can assure timely, reliable, accurate, and secure transfer of data and wireless information transfer
- The device’s wireless QoS requirements and wireless security capabilities
- The devices wireless security capabilities should include the specific measures needed to (i) protect against unauthorized wireless access to the device’s controls or data, and (ii) ensure that the device does not receive from data from unauthorized sources
According to the Guidance, pre-market submissions should also include:
- Hazard analyses, mitigations, and design considerations related to the wireless risks faced by the device, including (i) a "traceability matrix" linking the device’s wireless security capabilities to the corresponding wireless risks the MDM considered during the device’s design and production, and (ii) a systematic plan for providing users validated updates and patches to operating system or medical device software, where such plan is needed to assure continued safe and effective device usage
- Appropriate documentation to demonstrate that the device will be provided to purchasers and users free of malware; and
- Device instructions for use and product specifications related to recommended anti-virus software and/or firewall use appropriate for the environments the device is most likely to be used, even when it is anticipated that users may use their own virus protection software.
Note: It is very important that MDMs document their RF wireless risk analyses, quality control procedures, device security instructions, and cybersecurity risk mitigation plans. FDA warning letters have made clear that FDA will hone in on documentation deficiencies in connection with its investigation of a MDM’s risk management systems.
Recent FDA guidance shows the agency has heard the concerns of the general public and other governmental officials regarding the safety of wireless medical devices. This guidance also makes clear that FDA believes its regulations require MDMs to bear a significant portion of the burden for ensuring that wireless devices are used safely and effectively. Accordingly, MDMs would be well advised to both follow FDA recommendations for securing wireless medical devices and document the steps they took in doing so, just in case something does go wrong despite an MDM's best efforts.