FDA Continues to Grapple with Strategies for Tackling Medical Device Cybersecurity Vulnerabilities

It is only February, but the Food and Drug Administration (FDA or Agency) has already been actively focusing on issues relating to medical device cybersecurity. Following a public workshop held on January 20-21, 2016, entitled “Moving Forward: Collaborative Approaches to Medical Device Security,”1 the FDA published a new draft guidance for the industry entitled “Postmarket Management of Cybersecurity in Medical Devices 2(Draft Guidance).”3 The Draft Guidance is another step in FDA’s evolving attempt to address growing concerns over cybersecurity threats in medical devices.4 The new Draft Guidance outlines steps that medical device manufacturers should take to continually address cybersecurity risks. The Agency notes that “it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle,”5 from medical device conception to obsolescence.

privacyThe Draft Guidance provides recommendations to manufacturers with regard to monitoring, identifying, and addressing cybersecurity vulnerabilities as part of the manufacturer’s continuing postmarket management of a medical device. These recommendations apply to: 1) medical devices that contain software (including firmware) or programmable logic, and 2) software that is a medical device.

As noted by the Agency, “effective” cybersecurity risk management is a shared responsibility between stakeholders including health care facilities, patients, providers, and manufacturers of medical devices.

Recommended Postmarket Considerations

FDA recommends that manufacturers apply the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) (i.e. Identify, Protect, Detect, Respond, and Recover),6 in the development and implementation of a comprehensive cybersecurity program. Any program should emphasize addressing vulnerabilities that may allow for unauthorized “access, modification, misuse, or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may impact patient safety.”7

To that end, FDA has identified the following factors to be critical components of such a program:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing, and detecting the presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.8

Moreover, in order to properly manage postmarket security risks, medical device manufacturers should have a “structured and systemic” approach to risk management and quality management consistent with 21 CFR Part 820. The Draft Guidance also stresses the importance of voluntary participation in information sharing via an Information Sharing Analysis Organization (ISAO). FDA considers active participation in an ISAO to be a “critical component of a device manufacturer’s comprehensive proactive approach to management of postmarket cybersecurity risks.”9

FDA encourages manufacturers to conduct efficient, timely, and ongoing cybersecurity risk management for marketed medical devices. To that end, any “cybersecurity routine updates and patches” will typically not require prior FDA clearance or approval of the medical device software changes. However, for any changes that are required to address cybersecurity vulnerabilities that can compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, FDA would require the manufacturer to notify the Agency and determine the need to submit a premarket submission (e.g., PMA supplement, 510(K) Amendment, etc.).

While FDA sets out many recommendations in the Draft Guidance, it is unclear how the Agency plans to ensure that medical device manufacturers are creating and implementing programs to address postmarket cybersecurity. It is possible that the Agency will be looking for manufacturers to incorporate these recommendations as part of a good Quality Systems (QS) program based on the reference to the expectation that manufacturers will follow an approach that is consistent with 21 CFR Part 820 for risks and quality management.

Comments to the draft guidance are due April 21, 2016 and can be submitted here.

Download PDF

1 For more information about the two-day workshop, please visit here.

2 The draft guidance was not listed as one of the guidance documents expected to be issued by the Center for Devices and Radiological Health (CDRH) in 2016. CDRH’s 2016 Priority List is found here.

3 The Draft Guidance can be accessed here.

4 As you may recall, in 2015, FDA issued two separate safety communications discussing cybersecurity vulnerabilities of two Hospira Infusion Pump Systems. FDA issued a Safety Communication on vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems on May 13, 2015. See http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm.

Hospira and an independent researcher confirmed that it is possible to access the Symbiq Infusion System remotely through a hospital’s network. See http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm.

5 See FDA’s Press Release here.

6 See National Institute of Standards and Technology Framework, available here. The Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. The Framework was release by NIST in February 2014.

7 See Draft Guidance at 11.

8 Id. at 11-12.

9 Id. at 7.

10 Id. at 16.

Latest Thinking

View more Insights
Insights Center
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their