Are medical devices, subject to pre- and post-market regulatory controls, under increasing cybersecurity scrutiny? The FDA recently published recommendations for consideration of cybersecurity management in a product’s design and development phases, and in preparation of pre-market submissions. While the agency emphasizes that it has issued a guidance document containing only nonbinding recommendations, is there an underlying expectation that manufacturers address—and that agency staff assess— such planning as part of the approval process?
The guidance sets forth a five-function framework for approaching cybersecurity in design and development, borrowed from the National Institute of Standards and Technology: Identify, Protect, Detect, Respond, and Recover. Essentially, this framework promotes risk management through a continuous process of identifying, evaluating, and responding to vulnerabilities. The FDA highlights some specific controls for consideration, including the capability to limit access to trusted users, ensure trusted content, protect critical functionality, and provide for recovery following a security compromise.
Where does risk tolerance fit in? According to the publication, “[t]he extent to which security controls are needed will depend on the device’s intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited (either intentionally or unintentionally), and the probable risk of patient harm due to a cybersecurity breach.”
Also included in the guidance is a list of security-related processes, documentation of which is recommended as part of a device’s pre-market submission. Manufacturers, recommends the FDA, should provide:
A hazard analysis pertaining to intentional and unintentional risks associated with the device; A list of the security controls chosen, and a justification for selection; A traceability matrix linking controls to risks; Summary plans pertaining to risk management throughout the device lifecycle; and Instructions for use and product specifications of recommended controls for the intended use environment.
Healthcare organizations, too, may be interested in the FDA guidance as procurement considerations. Increased awareness of controls built into the design and development phases, as well as ongoing vulnerabilities, may simplify organizational and patient risk management.