Background and Overview of Essential Concepts

As part of the increase in cybersecurity issues in an increasingly networked society, the FDA has decided to provide medical device manufacturers with structure and specificity in its quest to counter threats to patient safety.  Although most of the recommendations offer industry a chance to self-police relatively minor security issues, the agency has proposed that a small subset of vulnerabilities “may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death” and would thus require that manufacturers notify the FDA of imminent threats to the public health.

The genesis of this highlighted commitment to cybersecurity is rooted in Executive Order 13636 – Improving Critical Infrastructure Cybersecurity (Feb. 19 2013), in which cyberthreats to the nation’s welfare were highlighted, specifically including public health and safety as an area of concern.  As a part of this mandate, Presidential Policy Directive 21—Critical Infrastructure Security and Resilience (Feb. 12, 2013) tasks all government entities and private stakeholders to accept responsibility for strengthening the nation’s infrastructure, including the security of medical devices.  In response, industry has created a general framework of best practices, standards and guidelines to address cybersecurity concerns.  In order to foster cooperation within industry, Information Sharing Analysis Organizations (ISAOs) will serve as both focal points for discussion as well as storehouses for the collective wisdom of private sector collaboration.

Following this overview, we will focus three major areas of concern for the FDA, (1) risk assessment (2) remediating and reporting vulnerabilities and (3) the elements of an effective postmarketing cybersecurity program.

In order to understand the more practical aspects of the FDA’s focus, we must first become familiar with several important concepts.  Chief among these concepts is the idea of protecting “essential clinical performance”.  Essential clinical performance is “performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer.”  It is up to the manufacturer to set proper guidelines for acceptable performance, the potential severity of outcomes if performance is compromised and risk acceptance criteria.   The essential clinical performance of the device often determines the relative risk of potential vulnerabilities.  The FDA stated that a cyberthreat to a thermometer is far less that the potential threat caused by a threat to an insulin infusion pump because of the clear difference in the impact of a degradation of the essential clinical performance of the respective devices.  Whereas a near total failure of a thermometer would be unlikely to impact patient safety, any variation in the amount of insulin delivered by an infusion pump would  have an immediate impact on the patient’s blood glucose level.

Once a manufacturer determines the essential clinical performance of a device, the manufacturer must not only be on the lookout for potential threats to the device, but also the vulnerabilities within the device.  Threats are broadly defined as “any circumstance or evert with the potential to adversely impact the essential clinical performance of the device….”  Threats also include things that would impact organizational operations, organizational assets, individuals or other organizations.  Such threats could be impact an information system “via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.”  Threats exploit “vulnerabilities”, which are defined as “weakness(es) within the information system, system security procedures, internal controls or implementations”.

Essentially, the remainder of the guidelines focus on creating a practical roadmap for manufacturers in both dealing with cyberthreats and meeting new FDA reporting requirements.  The ultimate goal is to keep safe and effective products on the market, knowing that some may have various levels of vulnerability to cyberattack.  With proper risk assessment, threat modeling, remediation and postmarketing surveillance, a medical device company should be able to promote patient safety and continue to make medical devices safer in a dangerous world.