On January 15, 2016, the Food and Drug Administration (FDA) issued new guidance that, for the first time, recommends routine postmarketing cybersecurity risk management for medical devices. According to the guidance, certain cybersecurity issues trigger requirements to file Medical Device Reports (MDRs) and Part 806 reports, and are also subject to the Quality System Regulation (QSR). The guidance, which was issued in draft form to permit public comment, emphasizes the regulatory obligations of manufacturers under existing statutory authorities, but also assigns responsibility for cybersecurity issues to IT vendors and system users. Comments will be accepted until April 21, 2016.
While healthcare providers and medical device manufacturers often disagree on their relative responsibility for cybersecurity matters, FDA takes the position that cybersecurity risk management is a shared duty among stakeholders including the device manufacturer, users, the Information Technology (IT) system integrator, health IT developers and IT vendors that provide products that are not regulated by FDA. The guidance recognizes that failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats, any of which may ultimately have the potential to result in patient illness, injury or death.
The draft recommends that manufacturers take a proactive, risk-based approach to cybersecurity, consistent with the QSR, by:
- Developing, documenting and implementing a structured and systematic comprehensive cybersecurity risk management program consistent with the 2014 NIST Voluntary Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond and Recover);
- Engaging in cybersecurity information sharing and monitoring, including through participation in anInformation Sharing Analysis Organization (ISAO), which is a group that shares information on critical infrastructure information across industries in the private sector as well as between the private sector and government to help prevent, detect, mitigate or recover from cyber threats; and
- Performing routine device cybersecurity maintenance, including “routine updates and patches.”
A key component of cybersecurity vulnerability assessment is identifying “essential clinical performance,” a term introduced in the draft and defined as “the performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer.” According to FDA, identifying essential clinical performance involves considering the requirements necessary to achieve device safety and effectiveness. “Risk” is further bifurcated into (1) “controlled risk,” which is “present when there is sufficiently low (acceptable) residual risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability,” and (2) “uncontrolled risk,” which is “present when there is unacceptable residual risk that the device’s essential clinical performance could be compromised due to insufficient compensating controls and risk mitigations.” The draft provides a number of recommendations for, and examples of, both controlled and uncontrolled risks.
FDA recently demonstrated its willingness to intervene if it determines that a device with an uncontrolled cybersecurity vulnerability poses an unacceptable risk to patients. Last July, FDA took the extraordinary measure of alerting hospitals that the Symbiq Infusion System was vulnerable to exploitation by hackers and recommending that hospitals discontinue using the device. The device manufacturer and an independent researcher had confirmed that the device could be accessed remotely through a hospital’s network, which could permit an unauthorized user to remotely control the device and change dosage settings, potentially leading to over- or under-infusion.
The draft explains that, when an uncontrolled risk is swiftly addressed in a manner that adequately reduces the risk, and when certain other conditions are met, FDA will not enforce urgent reporting of the vulnerability under 21 CFR part 806. For FDA to exercise this enforcement discretion, all of the following criteria must be met:
- There are no known serious adverse events or deaths associated with the vulnerability;
- Within thirty days of learning of the vulnerability, the manufacturer identifies and implements device changes or external safeguards to reduce the residual risk to an acceptable level; and
- The manufacturer voluntarily participates in an ISAO.
This final criterion, voluntary participation in an ISAO, illustrates that FDA expects device manufacturers to take a proactive approach to cybersecurity by learning from other industries how to identify and mitigate cyber risk to develop best practices and by communicating information pertaining to potential cybersecurity threats to other stakeholders.
The draft guidance is part of FDA’s ongoing effort to ensure the safety and effectiveness of medical devices in the face of potential cyber threats through all stages of the product lifecycle consistent with the QSR. It follows Executive Order 13636 – Improving Critical Infrastructure Cybersecurity andPresidential Policy Directive 21, which called upon stakeholders in the public and private sectors to strengthen critical cybersecurity infrastructure. As part of these efforts, FDA also released a final guidance in October 2014 entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”