The FDA, Cybersecurity and Coexistence for Bluetooth and Wi-Fi Enabled Devices

Integrating wireless technology into medical devices has numerous benefits that positively impact patient outcomes both by allowing caregivers real time access to patient data and by providing the ability to remotely program these devices. The demand for Wi-Fi and Bluetooth LE capable medical devices is increasing. These devices, however, are vulnerable to coexistence and cyber security issues.

Bluetooth and Wi-Fi radios may exist in the same device and at minimum often operate in close proximity. Although Bluetooth and Wi-Fi transmit in different ways using differing protocols, to protect the performance and reliability of both wireless interfaces, coexistence issues must be mitigated, for example by temporal, spacial and/or isolation methods.

Concerned that cyber security vulnerabilities presents a potential risk to the safety and effectiveness of medical devices, the FDA released a guidance document, “Post market Management of Cybersecurity in Medical Devices”, in draft form on 22 January 2016. The guidance document necessitates the need for security throughout the life cycle of medical devices. AAMI and UL have both released guidelines for assessing risk due to cyber security threats. Manufacturers should not only incorporate controls in the design of a product to help prevent cyber security risks, but also consider improvements during maintenance of devices. The FDA recommends a cyber security risk analysis that includes threat modeling; the cyber security risk analysis should be updated over time. Additionally, the FDA guidance specifically addresses that there is no need to re-certify when fixing security issues. Although the FDA Guidance does not define a time frame for fixing security issues, it does call out a “timely fashion” and that manufacturers should “address cyber security risk early and prior to exploitation.”