Remediating and Reporting Cybersecurity Vulnerabilities
Manufacturers are required to determine if the residual risk of a cybersecurity vulnerability is “controlled” (acceptable) or “uncontrolled” (unacceptable). Following this initial determination of the seriousness of the risk to “essential clinical performance”, the FDA has recommended a variety of both remediation and reporting requirements. These requirements are logical and pragmatic, in that controlled risk obviously requires a different (lesser) level of response than an uncontrolled risk.
The level of response required is similar to that I experienced with a certain cantankerous 1980 Oldsmobile in my youth. For minor issues, such as random stalling at stop signs, all I needed was a quick hit of carb cleaner and a long shanked screwdriver to loosen the butterfly valve and be on my way. For major problems, I was going to need a either a tow truck or a fire extinguisher. Trust me, once the fire extinguisher made an appearance, there were definitely “reporting requirements” (at least as to my parents).
The FDA set forth general guidelines for manufacturers before diving into the proper responses to controlled and uncontrolled risks. An initial reminder pointed out that cybersecurity risk management is an ongoing task, and thus, “for cybersecurity routine updates and patches”, the FDA will not require premarket approval, nor will the FDA need to approve software changes. The guidelines went on to list 6 different procedures which manufacturers should adopt as part of their normal course of cybersecurity risk management. Among the guidelines were practicing “good cyber hygiene”, which essentially would ask manufacturers to constantly innovate within the product life cycle to lessen even controlled risks. In addition, manufacturers were encouraged to reduce all vulnerabilities, even those that may not immediately impact essential clinical performance. Software validation was also stressed, as were a variety of communications with users, which would enable them to understand the reasoning behind certain controls and instructions, and thus mitigate their own risks.
The FDA’s guidelines go to recommend procedures to address controlled and uncontrolled risks to essential clinical performance.
In dealing with a “controlled” risk to a device’s essential clinical performance, the manufacturer is obviously dealing with a relatively minor issue. However, this does not relieve the manufacturer from certain overall recommendations, such as the overarching requirement that the company promote good cyber hygiene and constantly work to reduce risk, even controlled risk. As such, the company will have some work to do, even when the risk is controlled. As previously mentioned, when a company enhances the security of a device via a patch or software update, such changes need not be reported to the FDA. The exception to this rule is a PMA device with periodic reporting requirements. In these situations, a manufacturer may need to discuss the specific cybersecurity vulnerabilities in its periodic (annual) report. Examples are provided to assist the manufacturer in determining whether or not the annual report is required. See Section I.A. Assuming the company is pursuing the general goal of having a robust cybersecurity system in place, there is no need for immediate reporting or remediation if the risk is “controlled”.
In sharp contrast, an “uncontrolled” risk to a device’s essential clinical performance is a much more serious threat to the user of the device, and thus, the manufacturer has been given more extensive guidance and stricter requirements for both remediation and reporting. In Section IV. B., the FDA begins by requiring remediation of the vulnerabilities which will lower the risk to essential clinical performance “to an acceptable level”. First and foremost, the manufacturer is tasked with fixing the vulnerability. The FDA recognizes that an immediate fix may not be available, so the manufacturer should implement work-arounds and temporary fixes to mitigate risk in the short term. These immediate fixes should be communicated to users so they can take appropriate steps to mitigate their own personal risk.
As to reporting uncontrolled risk, there are a variety of decision trees at work here, depending on the type of device. Initially, manufacturers must report vulnerabilities to the FDA, depending on a variety of conditions, set forth in the 3rd bullet point of Section IV. B. Following an assessment of the need for immediate reporting, the FDA noted that Class III devices must include a report on the remediation in the annual report. For all PMA devices, the information regarding the cybersecurity vulnerability, the device changes and any compensating controls should be reported in the periodic (annual) report. (See Section VIII. for the list of suggested topics in the PMA Periodic Report.) In addition, a manufacturer should take a close look at any device changes during remediation to determine whether or not there is a need to submit a premarket submission, such as a supplement to the PMA or 510k.
The FDA noted that remediation was critical when the uncontrolled risk to clinical performance “may be considered to have a reasonable probability that use of, or exposure to, the product will cause serious adverse health consequences or death.” In such cases, the agency stated that the product could be held to be in violation of the Food, Drug and Cosmetic Act and subject to enforcement. If this situation arises, it would be similar to any other known risk and the strictures of the act could require the company to take swift action to protect the public.
Stay tuned for the final part of this four part series "Proper Elements of an Effective Postmarketing Cybersecurity Program" coming soon. Read "Part 1 - Background and Overview of Essential Concepts" here and "Part 2 - Risk Assessment and Management in a Dangerous World" here.