On January 15, 2016, the FDA published a draft guidance entitled, "Postmarket Management of Cybersecurity in Medical Devices," which lists a number of recommendations to help medical device manufacturers protect patients from cybersecurity vulnerabilities in their devices.
The FDA acknowledges that cybersecurity in medical devices is a shared responsibility between stakeholders; these include: health care facilities, patients, providers, and manufacturers of medical devices. “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury or death.”
The draft guidance states that effective risk management is critical in reducing patient risk by decreasing the chance that a device’s functionality could be compromised due to inadequate cybersecurity. As such, it is important that manufacturers have an effective cybersecurity risk management program in place. The program should incorporate both premarket and postmarket lifecycle phases, and address cybersecurity from medical device conception to obsolescence.
On October 2, 2014, the FDA issued a guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” This guidance provides “recommendations for manufacturers to address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks.”
*For more information on pre-market submissions and considerations, view the full FDA guidance.
It is extremely important for medical device manufacturers to address vulnerabilities as thoroughly as possible before the device is on the market. However, due to the constantly changing nature of cybersecurity risks, it is not always possible to completely mitigate risks through premarket controls alone. As such, it is crucial for manufacturers to implement a comprehensive cybersecurity risk management program. Critical components of such a program include:
Postmarket cybersecurity information can originate from various sources such as independent security researchers, in-house testing, suppliers of software or hardware technology, health care facilities, and information sharing and analysis organizations. “It is strongly recommended that manufacturers participate in a cybersecurity ISAO, as sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful postmarket cybersecurity surveillance program.”
A structured and systematic approach to risk and quality management programs is essential in managing postmarket cybersecurity risks for medical devices. “For example, such a program should include:
It is recommended as part of a manufacturer’s cybersecurity risk management program that the manufacturer incorporates elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover).”
The Agency recognizes that medical devices and the surrounding network infrastructure cannot be completely secured, and that the presence of vulnerabilities does not necessarily produce safety concerns. As such, vulnerabilities that do not appear to currently impact the clinical performance of the device should be regularly assessed for future impact.
Essential clinical performance is a concept that was developed for this [draft] guidance and “means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm.”
As part of their risk management efforts, manufacturers should define the essential clinical performance of their medical device, the resulting severity outcomes if compromised, and the risk acceptance criteria. Defining these requirements helps manufacturers to triage vulnerabilities that require remediation.
“When defining essential clinical performance, manufacturers should consider the requirements necessary to achieve device safety and effectiveness. Understanding and defining essential clinical performance is of importance in assessing a vulnerability’s impact on device performance, and in determining whether proposed or implemented remediation can provide assurance that the cybersecurity risk to the essential clinical performance is reasonably controlled. Importantly, acceptable mitigations will vary according to the device’s essential clinical performance.”
In addition to the above mentioned general principles, the draft guidance also provides a number of other recommendations, including:
Additional information on FDA's recommendations for managing cybersecurity in medical devices is available in our preceding FDA News article entitled, "Cybersecurity in Medical Deivces Part 1: Networked Medical Devices & Cybersecurity Vulnerabilities
January 20, 2016
Compensating Controls: “A safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of sufficient controls that were designed in by a device manufacturer,...
January 20, 2016
On Thursday, September 13th, FDA published a proposed rule which would amend the current premarket submission requirements for medical devices. Background In July 2012, the Food and Drug...
January 20, 2016
FDA Pathways to Medical Device Approval: Commercializing your medical device in the US market often requires submitting a marketing application to the FDA to become an FDA Approved or Cleared Medical...