In September 2018, the Office of the Inspector General (OIG) published a report of its findings following an examination of the Food and Drug Administration’s (FDA) policies, procedures, and guidance in connection with cybersecurity reviews of networked medical1 devices. The OIG concluded that, while the FDA has begun to incorporate cybersecurity concerns as part of its review process, the FDA should take steps to ensure its cybersecurity review is systematic and consistent. The OIG specifically recommended that the FDA:
- Promote the use of the FDA’s pre-submission program (Pre-Sub Program) to discuss cybersecurity concerns
- Include cybersecurity documentation as a criterion in the FDA’s current Refuse To Accept checklists
- Revise its “Smart” template to prompt FDA reviewers with specific cybersecurity questions
After the OIG report, the FDA responded by saying that in the coming weeks it will overhaul its 2014 cybersecurity guidance, including by providing a list of commercial and off-the-shelf software and hardware components with known vulnerabilities.
The FDA can reject connected devices after performing a cybersecurity review of premarket device submissions because of potential risks to individuals from cyberattacks affecting connected medical devices. While these devices help advance medical treatment, they can be vulnerable to cybersecurity threats. The OIG’s objective of this review was to “examine the Food and Drug Administration’s review of cybersecurity risks and controls to mitigate those risks before it clears or approves networked medical devices for use in the United States.”
According to the OIG report, the FDA reviewers consider known cybersecurity risks and threats when reviewing submissions and apply that knowledge to devices that display similar risk profiles. The reviewers will request more documentation and meetings about cybersecurity with the manufacturers if submissions do not contain the information necessary for an adequate review.2The FDA has also established an internal cybersecurity workgroup, conducted industry educational activities, and begun adding cybersecurity as a special control for certain premarket notification submissions.
The nature of the security concern
Networked medical devices include critical equipment such as hospital room infusion pumps, diagnostic imaging equipment, and pacemakers. OIG undertook this study after instances where connected medical devices were cleared or approved by the FDA but remained susceptible to cybersecurity threats, such as ransomware and unauthorized remote access.
For example, in 2015, the FDA alerted the public that a networked infusion pump could be remotely accessed and controlled by an unauthorized user who exploits a cybersecurity vulnerability. The FDA encouraged medical providers to phase out these pumps and replace them with equivalents that are less vulnerable to potential hackers who could remotely power off the device or manipulate the medication dosage the pump administered. In another recent incident, the FDA learned that unauthorized users could remotely access and control an implantable cardiac device. Although no actual physical harm is known to have occurred from hacking incidents involving networked medical devices, “white hat” hackers have demonstrated it is possible to gain unauthorized access to such devices, allowing hackers to arbitrarily modify a device’s settings, deplete the device’s battery life, or administer inappropriate and potentially hazardous pacing or shock to a patient.
FDA review process
The FDA regulates networked medical devices using a “total product lifecycle” approach, which consists of two phases: premarket and post-market. The FDA uses its 2014 and 2017 cybersecurity guidance3 to review premarket submissions from manufacturers. These guidance documents are intended to identify issues that that manufacturers should consider in the development life cycle to address design-related security vulnerabilities. In reviewing premarket submissions, the FDA specifically assesses whether a networked medical device is safe and effective for its intended use, which includes an evaluation of its cybersecurity vulnerabilities. More recently, the FDA has begun incorporating cybersecurity into the special controls that govern some networked medical devices.4
In addition, the FDA provided manufacturers with post-market cybersecurity guidance in 2016.5 Please see our prior client alert for more expansive discussion of these FDA guidance documents.6The FDA published this guidance to govern its own review of cybersecurity issues and to assist connected device manufacturers in more effectively managing cybersecurity risks.
FDA staff also use information about previously identified cybersecurity risks when conducting device reviews. For example, in its review of a submission for an insulin pump that used certain software, FDA reviewers will take into account a widely known password vulnerability that was identified in a similar device that was marketed by the same manufacturer.
In some cases, the FDA has rejected some devices in the final clearance stage because of insufficient cybersecurity. FDA staff report that they often receive submissions that insufficiently address cybersecurity at the initial stages, in spite of the available guidance reports. FDA reviewers frequently need to request additional cybersecurity documentation from manufacturers during the premarket review process.
OIG found that the FDA could integrate cybersecurity more comprehensively into its premarket device review process in three ways.
Pre-Submission Program meetings
First, OIG recommends that the FDA promote the use of its Pre-Submission (Pre-Sub) Program to address cybersecurity-related questions. The FDA’s Pre-Sub Program enables a manufacturer to voluntarily seek and obtain formal, targeted feedback from the FDA on the design, development, or testing of its medical device or its premarket submission.7
Revising the Refuse To Accept checklists to require cybersecurity documentation
Second, OIG recommends that the FDA include cybersecurity documentation as a criterion in its current Refuse To Accept checklists, which the agency uses to screen submissions against minimum criteria.
Updating the Smart template to prompt cybersecurity questions
Third, the FDA’s Smart template, which the FDA uses to guide its reviews of submissions, does not prompt FDA reviewers with specific cybersecurity questions and lacks a section for recording the results of the cybersecurity review. OIG stated that the absence of a dedicated cybersecurity section in the Smart template may result in a failure to perform cybersecurity reviews and/or less consistent cybersecurity reviews. OIG recommends that the FDA add cybersecurity as an element in the Smart template.
Notably, the FDA has already expressed its agreement with all three recommendations and intends to include them in its next update of these items. Medical device manufacturers should anticipate that the FDA will promulgate new policies and procedures responsive to OIG’s recommendations in the near future. In particular, the FDA’s premarket guidance provides cybersecurity recommendations that may be burdensome to incorporate late in the development life cycle. Manufacturers concerned about the FDA’s cybersecurity requirements should consider taking the following steps:
- Develop a cybersecurity plan that identifies security risks associated the use of the networked device, including hazards related to its use of software or network connectivity. Include in the cybersecurity plan a cybersecurity vulnerability and management process to assure software functionality. The vulnerability and management process should account for all security controls implemented to address the risks associated with the networked device.
- Implement encryption for device storage and for any network connections, particularly those that involve the storage or transmission of sensitive data, including personal information.
- Incorporate risk assessments and security testing as part of the device development life cycle.