Recently, the U.S. Food and Drug Administration (FDA) published draft guidance entitled “Postmarket Management of Cybersecurity in Medical Devices” (the Guidance) that sets forth ways in which medical device manufacturers should monitor and address cybersecurity risks.  The Guidance is the latest manifestation of a federal agency weighing in on the continually growing concern caused by cybersecurity threats.  Suzanne Schwartz of the FDA’s Center for Devices and Radiological Health commented that the Guidance “will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”

Despite its title, the Guidance sets forth lists of both premarket and postmarket considerations for device manufacturers.  Before marketing its product, manufacturers are encouraged to: identify assets, threats, and vulnerabilities; assess the impact of threats on device functionality and end users; assess the likelihood of a threat being exploited; determine risk levels and suitable mitigation strategies; and assess residual risk and risk acceptance criteria.

Once devices go to market, manufacturers should implement cybersecurity risk management programs that incorporate the elements of identification, protection, detection, response, and recovery, consistent with  the NIST Framework for Improving Critical Infrastructure Cybersecurity.  The Guidance considers the following components to be “critical”:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing, and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.

The Guidance recognizes that certain cybersecurity risks are more severe and require responses that are swifter and stronger than others.  Thus, once a manufacturer identifies a risk, they are encouraged to consider both the “exploitability” of the vulnerability as well as the “severity of the health impact to patients if the vulnerability were to be exploited.”  Manufacturers should then evaluate whether the risk level is acceptable or not with respect to “essential clinical performance” of the device.  In the event that an unacceptable, uncontrolled risk exists with respect to a device’s essential clinical performance, in addition to remediation, manufacturers should report such vulnerability to the FDA (although when a certain set of criteria is met, including that the vulnerability becomes controllable within 30 days, such reporting obligation will not be enforced).

The FDA encourages interested parties to respond to the Guidance with comments.  Public comments to the Guidance should be submitted within 90 days of its publication.  Written comments may be submitted to the Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852.  Electronic comments may be submitted to http://www.regulations.gov.