On January 22, 2016, FDA issued draft guidance to manufacturers regarding the postmarket management of cybersecurity vulnerabilities in medical devices. This draft guidance comes on the heels of draft guidance issued in 2013 to manufacturers on thepremarket management of cybersecurity risks related to the design and development of medical devices. While FDA has not issued final versions of either guidance document, the message from regulatory agencies generally cannot be clearer: cybersecurity is a risk that must be managed like any other risk companies are currently mitigating and managing.
The draft guidance is particularly concerned with networked medical devices that incorporate software because such devices are vulnerable to either accidental or deliberate breaches that may affect the “essential clinical performance” of the device and/or compromise the performance of the device.
The draft guidance’s recommendations on the implementation of monitoring and risk management systems is not new to the regular reader of this blog – indeed, it is no different from cybersecurity protocols required under Federal and state laws and by various other agencies. For instance, the draft guidance cites the NIST framework as a tool to guide companies to develop comprehensive cybersecurity programs in which they monitor, identify, and address vulnerabilities on a consistent and ongoing basis. In the addition to those general precepts, the FDA context requires medical device companies to institute systematic and structured risk management programs that determine cybersecurity vulnerabilities and address them consistent with the Quality System regulations (21 CFR part 820).
So where does a medical device manufacturer start when thinking about setting up their cybersecurity program? The answer is seemingly simple – determine the “essential clinical performance” of your device.
The draft guidance states that medical device companies are responsible for ensuring that the essential clinical performance of their devices is not compromised. The “essential clinical performance” is defined as the performance necessary to achieve freedom from an unacceptable clinical risk. Thus, the first step should be to define the “essential clinical performance” of your device and map your risk management protocol to mitigating uncontrolled (or unacceptably high) risks and threats to the essential clinical performance. That is – programs should address “vulnerabilities which may permit the unauthorized access, modification, misuses or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from medical device to an external recipient, and may impact patient safety.”
In assessing risk to the device’s essential clinical performance, FDA suggests that medical device companies consider:
- The exploitability of cybersecurity vulnerability
FDA notes the difficulty in determining the probability of the worst case scenario estimate in the absence of data. Thus, the draft guidance points to the “Common Vulnerability Scoring System,” Version 3.0 as a tool that helps companies assess vulnerabilities of their particular devices.
- The severity of the health impact to patients if the vulnerability are exploited
The draft guidance encourages manufacturers to have processes and procedures in place to assess the severity of the impact to health.
The key purpose of the risk assessment program, again, ties back to where we started: the essential clinical performance of the medical device. FDA recognizes in this draft guidance that not all risks must be mitigated. Instead, companies should use the risk assessment to make determinations of whether a risk is “controlled” or “uncontrolled,” acceptable or unacceptable. This is done by understanding the nexus between the two risk management factors above – the severity of impact to health and exploitability – and making a binary determination of the risk level of certain vulnerabilities.
Finally, the draft guidance details the reporting requirements of certain vulnerabilities and risks identified in the risk assessment process. While FDA states that uncontrolled risk and vulnerabilities, among other things, should be reported, it grants what appears to be a safe harbor (“FDA does not intend to enforce reporting requirements…”) for reporting pursuant to 21 CFR part 806 those risks that are not associated with serious adverse events or death and to companies who identify and implement compensating controls to bring the risk to acceptable levels and participate in a cybersecurity ISAO (Information Sharing and Analysis Organizations). The draft guidance is replete with examples of vulnerabilities that may further illustrate reporting requirements in the face of an uncontrolled risk.
The guidance issued on January 22, 2016 is draft guidance and open to public comment. While the exact language of the final iteration of this guidance is not yet known, it is clear that FDA, like many government agencies, is concerned with the threat of cybersecurity breaches, both intentional and accidental. Unlike the many data breaches involving credit card numbers and other personal information where the ascertainable harm is often remote and speculative, the risk of harm is paramount in medical devices that, if hacked, could pose serious harm – even death – to patients.