Therapeutic Goods Admin issues security guidance for medical devices

Australia’s Therapeutic Goods Administration (TGA) has published new guidelines for the security of medical devices and in vitro diagnostic (IVD) medical equipment.

Revealed on 18 July here, the new guidance comes in one version for Guidance for consumers, health professionals, small business operators and large scale service providers (pdf) and another for industry (pdf).

Neither go too far beyond generic advice, in part because legislation and regulations already offer more detailed advice.

The guidance for industry even points out that the “Essential Principles” it outlines “are not a prescriptive list of requirements for manufacturers to comply with and instead provide high level principles for flexibility according to the characteristics of the device.”

Device manufacturers are advised that they have a “responsibility to determine which essential principles are relevant and to demonstrate compliance with these.” And those principles are quite anodyne, as they call on manufacturers to make sure they design their products to take into account known security risks, maintain them well and make it hard for attacks to exploit them.

Guidance for users (pdf) gets a little meatier, as it addresses small and large businesses that deploy medical devices as part of their services.

Entities the TGA classes as “large-scale service providers” or those “responsible for implementing medical devices in critical health services” are advised to “develop a clear and well documented risk management strategy.”

That plan should include network security precautions such as “isolating networks from any untrusted network such as the internet, disabling any unused ports and services, only allowing real-time connectivity to external networks with a defined business requirement and using unidirectional networks with an air gap where possible.” Penetration testing and ensuring physical security of medical devices are also recommended.

The guidance to consumers is full of anodyne advice such as “Follow instructions when using your device” and “change from a password to a hard-to-guess passphrase.” It also asks consumers to actively consider the security implications of using medical devices by asking “either your doctor or the manufacturer of the medical device” questions such as “How can I tell if a device has been hacked or compromised and who should I talk to if this is suspected?”

iTnews imagines the average GP will have a lot of trouble answering that question, especially given that the universe of products the TGA considers includes smartphone apps, the OSes they run, devices themselves, diagnostic software and more.