On October 1, 2014 the U.S. Food and Drug Administration finalized guidance on recommendations to manufacturers for managing cybersecurity risks to better protect patient health and information. The purpose of the guidance is to encourage manufacturers to consider possible cybersecurity risks while designing medical devices, and having a plan to manage system or software updates. The FDA believes that this will reduce information security vulnerabilities for interoperable medical devices.
The final guidance, titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. Manufacturers are encouraged to submit their cybersecurity plans when seeking approval of a new medical device. The guidance also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software.
Medical devices are becoming more interconnected and interoperable. However, once a medical device is connected to a computer system or to the internet, it can be vulnerable to security breaches. Such breaches could expose protected health information to unauthorized persons, compromise the operation of a diagnostic or therapeutic medical device.
According to an FDA news release, the FDA’s concerns about cybersecurity vulnerabilities include malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data; unsecured or uncontrolled distribution of passwords; failure to provide timely security software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network. The FDA stated that it has neither an indication that specific devices or systems have been purposely targeted, nor reports that any patients have been harmed as a result of cybersecurity breaches, but remains concerned about device-related cybersecurity vulnerabilities and their potential to adversely impact public health.
The FDA’s concerns were illustrated by a report released at a major cyber security conference earlier this year by two information security researchers. The researchers indicated that medical devices that interconnect with hospital information networks can be highly vulnerable to hacking, and that a malicious intruder could potentially interfere with the operation of medical devices or obtain sensitive information. However, the researchers also concluded that the vast majority of the vulnerabilities could be readily identified with open source tools and remediated at low cost.
The perceived vulnerabilities of health care information systems and medical devices were also the subject of an alert by the FBI cyber division in April of this year.
The FDA states that it has been working closely with other federal agencies and the medical device industry to identify and communicate with stakeholders about vulnerabilities. The agency is planning a public workshop on October 21 and 22, 2014, to discuss how government, medical device developers, hospitals, cybersecurity professionals, and other stakeholders can collaborate to improve the cybersecurity of medical devices and protect the public health.
Unlike the HIPAA information security regulation that is binding on hospitals and other health care providers, the guidance document does not have the full force of law, and does not establish detailed standards to be followed by device manufacturers. However, the guidance document does refer manufacturers to a number of “FDA recognized consensus standards” that device manufacturers should review in addressing cybersecurity risks when preparing pre-market filings for devices that contain software (including firmware) or programmable logic as well as software that is itself a medical device. It is clear that these considerations will be taken into account in reviewing and approving premarket submissions. The Guidance also recommends that these factors be taken into consideration for devices subject to an Investigational Device Exemption and other devices which may be subject to the cybersecurity risks but are exempt from the requirement of FDA submissions.
The guidance document also contains five recommendations for documentation that manufactures should submit in premarket submissions: a risk analysis and listing of controls; a matrix that links controls to identified risks; a summary of a plan for providing validated software updates throughout the lifecycle of the device; a summary of controls in place to maintain the integrity of device software; and decide instructions for controls needed for the protection of the device in its “intended use environment.”
Notably, the FDA states that it “typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity” suggesting that the agency does not want to delay the propagation of patches needed to respond to known risks. The Guidance does not address whether existing regulations require manufacturers to provide updated software or patches in response to identified security vulnerabilities.
The FDA’s Guidance should have an impact on the design of new and updated devices that are subject to FDA review. However, as the Guidance document notes, “medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers and manufacturers of devices.” Recent research suggests that health care facilities can take steps to better safeguard their existing devices without the need to make changes to the devices themselves.