Sternum’s Comments on the FDA’s Draft Premarket Guidance

As enhancements to an already comprehensive document, Sternum suggests some additional guidance, focusing especially on the implementation of security

Natali Tshuva

March 26, 2019

As more medical devices are becoming exposed to cybersecurity risks, the Food and Drug Administration (FDA) has recently released a draft guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” Following the FDA’s request, Sternum is delighted to provide comments on the draft - based on Sternum’s expertise in IoT security, with a unique focus on medical, high-value, IoT devices.

The FDA guidance provides a set of security-focused controls for the process of design, labeling and documentation of IoT devices and is intended to protect against a variety of risks and attack methods that could be disruptive and dangerous in a clinical context.

Sternum views the guidance as part of a positive effort and considers the guidance to be highly-updated and in-consistency with recent changes in both IoT technology and cybersecurity risks and threats. As enhancements to an already comprehensive document, Sternum suggests some additional guidance, focusing especially on the implementation of security within the design and development of the devices.

The following are additional risk areas that Sternum advises the FDA to consider adding to the guidance:

Evaluating and securing third-party code

In IoT devices, the implementation of third-party code is prone to vulnerabilities. Sternum advises the FDA guides manufacturers to take security measures when evaluating any third-party code that is used during the development of the device. Using security tools and solutions that protect third-party code, as well as closed-source, operating systems, communication stacks and SDKs, is essential for comprehensive device security.

Protection of the encryption and authentication, including in Over-the-air (OTA) update process

Though the FDA draft guidance directly mentions encryption and authentication mechanisms, Sternum advises to further include security measures against exploitations that can lead to encryption/authentication bypass. In this specific context, the highly critical OTA update processes, even when communication is encrypted, still requires protection from encryption bypassing. Such encryption bypassing can be achieved by memory corruption or race condition vulnerabilities and jeopardize the entire OTA process.

Sternum advises the FDA to consider the OTA process as part of the device’s critical functionality, which requires additional security controls and to add controls that refer specifically to the protection against exploitation.

Hardware-level and chip-level security

Though it is IoT software that is in the focus of the FDA draft guidance, Sternum advises stressing the importance of hardware-level security as well as the fact that software also exist within hardware modules in use by the manufacturer. To avoid chip-level vulnerabilities, device manufacturers should try to use secure communication modules and hardware.

A suggested control is to define security for communication between different internal hardware modules to strengthen the difficulty to exploit the main application processor from a vulnerable communication processor. Another suggested solution is to actively secure the software within the used communication modules and treat them as third-party code.

Avoiding the importation of mobile device risks into medical IoT devices

Naturally, many connected devices communicate with a mobile application. Due to the high potential for vulnerability, we at Sternum believe that the mobile app should not be trusted, and that any data should be verified end-to-end, using a secure server or a component of similar functionality.  Moreover, if possible, we would advise device manufacturers to avoid storing encryption keys on mobile platforms.

Real-time prevention and response

Intrusion detection is only part of the way to securing a device. Detected threats should be, when feasible, reported to an online monitoring system, that will include not only the essentials (log-storing and alerting), but also a reporting protocol back to the manufacturer for further investigation and mitigation. Sternum suggests adding a control that regards documentation of the manufacturer’s response protocol, including an SLA. With awareness of the risks and complexity of IoT intrusion prevention, Sternum advises considering industry-accepted intrusion prevention systems and anti-malware software, when applicable.

These comments and suggested controls stem from our team’s combined experience in offensive and defensive IoT cyber-security research. Many of these issues are directly addressed by Sternum’s solution - EIV (Embedded Integrity Verification). Today, we are bringing them forth to further deepen the already comprehensive, up-to-date and highly actionable guidance published by the FDA. Sternum’s comments are served as part of a joint effort to accelerate and improve IoT cybersecurity across the medical sector.