Frequently Asked Questions
What information should be included in the labeling regarding cybersecurity risks?
The following information should be included:
- Device instructions and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-virus software, use of a firewall).
- A description of the device features that protect critical functionality, even when the device’s cybersecurity has been compromised.
- A description of backup and restore features and procedures to regain configurations.
- Specific guidance to users regarding supporting infrastructure requirements so that the device can operate as intended.
- A description of how the device is or can be hardened using secure configuration. Secure configurations may include endpoint protections such as anti-malware, firewall/firewall rules, whitelisting, security event parameters, logging parameters, physical security detection.
- A list of network ports and other interfaces that are expected to receive and/or send data, and a description of port functionality and whether the ports are incoming or outgoing (note that unused ports should be disabled).
- A description of systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer.
- A description of how the design enables the device to announce when anomalous conditions are detected (i.e., security events). Security event types could be configuration changes, network anomalies, login attempts, anomalous traffic (e.g., send requests to unknown entities).
- A description of how forensic evidence is captured, including but not limited to any log files kept for a security event. Log files descriptions should include how and where the log file is located, stored, recycled, archived, and how it could be consumed by automated analysis software (e.g., Intrusion Detection System, IDS).
- A description of the methods for retention and recovery of device configuration by an authenticated privileged user.
- Sufficiently detailed system diagrams for end-users.
- A CBOM including but not limited to a list of commercial, open source, and off-the-shelf software and hardware components to enable device users (including patients, providers, and healthcare delivery organizations (HDOs)) to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device’s essential performance.
- Where appropriate, technical instructions to permit secure network (connected) deployment and servicing, and instructions for users on how to respond upon detection of a cybersecurity vulnerability or incident.
- Information, if known, concerning device cybersecurity end of support. At the end of support, a manufacturer may no longer be able to reasonably provide security patches or software updates. If the device remains in service following the end of support, the cybersecurity risks for end-users can be expected to increase over time.