On January 22, 2016, the Food and Drug Administration (FDA) issued draft guidance on cybersecurity risks associated with medical devices, and addressed steps that device manufacturers should take to mitigate such risks. The guidance, titled Postmarket Management of Cybersecurity in Medical Devices (Postmarket), is intended to clarify the FDA’s recommendations and emphasize the importance of monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices once they are on the market. It applies to those medical devices that contain software (including firmware) or programmable logic, and to software that itself is a medical device.
The FDA’s guidance is the latest in a continuing effort to address ongoing cybersecurity threats standing in the way of safe and effective healthcare. It follows the FDA’s heavily criticized premarket guidance from 2014, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, and also builds on steps the federal government has taken in recent years, including executive orders aimed at improving cybersecurity infrastructure and promoting cybersecurity information sharing, and a public workshop hosted by various federal agencies to discuss collaborative approaches to the issue. Incorporating guidance from these and other findings, Postmarket provides medical device manufacturers with the FDA’s current thinking on how best to institute a comprehensive risk-management framework.
What Steps Should I Take to Best Mitigate Risk?
Postmarket discusses numerous steps which manufacturers should take to help mitigate cybersecurity risks of postmarket devices. Some of these steps include:
- Applying the 2014 National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. This voluntary guidance incorporates the core principles of Identify, Protect, Detect, Respond, and Recover. The FDA maintains that implementing a framework that includes these five principles is integral to any comprehensive plan to manage postmarket cybersecurity threats, and provides device manufacturers detailed guidance on how to implement this framework effectively.
- Participating in an Information Sharing Analysis Organization (ISAO). As was first suggested by President Obama in a February 2015 executive order titled Promoting Private Sector Cybersecurity Information Sharing, the FDA believes that ISAOs are key information sharing vehicles between the private and public sectors and considers voluntary participation in an ISAO a critical component of an effective approach to managing cybersecurity threats. In some cases, participation in an ISAO may relieve a manufacturer of certain federal reporting requirements.
Furthermore, the FDA encourages manufacturers to abide by federal code and implement a comprehensive cybersecurity risk management program which addresses, among other things, vulnerabilities which may permit the unauthorized access, modification, misuse, or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient which may impact patient safety. Critical aspects of such a program include:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understanding, assessing, and detecting the presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to develop mitigations to protect against, respond to and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigations that address cybersecurity risk earlier and prior to exploitation.
What Should I Do if I Find Vulnerabilities?
In most cases where cybersecurity vulnerability is present, corrective actions taken by manufacturers to address it will be considered “routine updates or patches” and will not require advance notification, additional premarket review, or reporting under federal regulations. However, where vulnerabilities compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the agency will require notice.
Where vulnerabilities are quickly addressed in a manner that “sufficiently reduces the risk of harm to patients,” and where certain conditions are met, the agency does not intend to enforce urgent reporting requirements. These conditions include:
- There are no known serious adverse events or deaths associated with the vulnerability.
- Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users.
- The manufacturer is a participating member of an ISAO.
The latest FDA guidance underscores the federal government’s commitment to mitigating growing cybersecurity threats in the healthcare sector. It also signals the importance to medical device manufacturers of being proactive in their efforts to mitigate cybersecurity threats, not only in design and implementation, but also in the continued use of their devices. Those device manufacturers that take proactive measures using the framework provided by the FDA may be subject to less scrutiny and fewer federal reporting requirements, and will be best positioned to effectively manage unforeseen threats to patient safety.
The FDA is seeking public comment on this draft guidance through April 21, 2016.