Earlier this month, the U.S. Food & Drug Administration (FDA) issued a final guidance on the management and mitigation of cybersecurity risks in the design and development of medical devices. The guidance provides recommendations for medical device manufacturers to consider in developing cybersecurity policies and practices, as well as information to include in medical device premarket submissions. Notably, the FDA identified and explained in detail five core functions that manufacturers should use to guide their cybersecurity controls: Identify, Protect, Detect, Respond, and Recover.
The purpose of the guidance is to aid manufacturers in managing cybersecurity risks that have the potential for adverse impacts on public health. According to the guidance, “[m]anufacturers should develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety.” Specifically, manufacturers should establish design inputs for their devices and establish “a cybersecurity vulnerability and management approach” that does the following:
- Identifies assets, threats, and vulnerabilities;
- Assesses the impact of threats and vulnerabilities on device functionality and end users/patients;
- Assesses the likelihood of a threat and of a vulnerability being exploited;
- Determines risk levels and suitable mitigation strategies; and
- Assesses residual risk and risk acceptance criteria.
Moreover, the guidance identifies the type of documentation the FDA recommends that manufacturers submit in their premarket submissions, including hazard analyses, plans for providing validated software updates, and a summary of controls that are in place to assure that the medical device software will maintain its integrity. This information is intended to mitigate the threat of hackers accessing the devices and to protect patient health information.
The FDA indicates that this guidance applies to the following premarket submissions for devices:
- Premarket Notification (510(k)), including Traditional, Special and Abbreviated;
- De novo submissions;
- Premarket Approval Applications (PMA);
- Product Development Protocols (PDP); and
- Humanitarian Device Exemption (HDE) submissions;
Although the FDA frames the content of the guidance as recommendations for medical devices manufacturers, these “recommendations” will ultimately serve as important guidelines for companies to follow as they design and develop new devices. On October 21-22, 2014, the FDA will hold a public workshop to seek public input on medical device and healthcare cybersecurity. More information on the workshop can be found here.