On June 14, 2013, the Food and Drug Administration (FDA) issued a draft guidance that provides recommendations for manufacturers to consider in preparing premarket submissions for medical devices.1 The agency issued the guidance, entitled "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," in order to reduce the risks of unauthorized use of information stored on devices, due to the increased use of Internet-connected devices and the frequent electronic exchange of health information through devices. This guidance supplements other guidance documents that FDA has issued on the topic.2
The guidance applies to devices that contain software (including firmware) or programmable logic, and pertains to the following types of premarket submissions:
- Premarket Notification (510(k)) including Traditional, Special, and Abbreviated 510(k) submissions;
- De novo petitions;
- Premarket Approval Applications (PMA);
- Product Development Protocols (PDP); and
- Humanitarian Device Exemption (HDE) submissions.
Manufacturers may also consider applying the guidance’s cybersecurity principles as appropriate to Investigational Device Exemption submissions and to devices exempt from premarket review.
Types of Security Controls
According to the guidance, the extent to which security controls are necessary will depend on the device and the risks to patients from a security breach. A device capable of connecting to another device, the Internet, or portable media (e.g., a USB) is more likely to require more extensive security controls.
However, the agency warns against controls hindering access to a device during an emergency situation.
FDA suggests that manufacturers consider these cybersecurity issues during a device’s design phase, because it can allow manufacturers to mitigate risks more efficiently.
In the premarket submission, FDA recommends that manufacturers consider the following methods of increasing cybersecurity:
- Limiting Access to Trusted Users:
- Allowing access to the device only after the user has been verified through authentication (e.g., user ID and password, smartcard, or biometric);
- Programming sessions to log off after a period of inactivity; and
- Differentiating privileges based on the user’s role (e.g., caregiver, administrator).
- Ensuring Trusted Content:
- Restricting software updates to authenticated code; and
- Transforming data through encryption into a form that conceals the data’s original meaning to prevent it from being known or used.
- Using Fail Safe and Recovery Features:
- Implementing features that protect the device’s critical functionality, even when the device’s security has been compromised; and
- Allowing an authenticated system administrator to retain and recover a device’s configuration.
Manufacturers should define and document the following as part of their risk analysis required by 21 C.F.R. § 820.30(g):
- Identification of assets, threats, and vulnerabilities;
- Impact assessment of the threats to and vulnerabilities of device functionality;
- Assessment of the likelihood of a threat and of a vulnerability being exploited;
- Determination of risk levels and suitable mitigation strategies; and
- Residual risk assessment and risk acceptance criteria.
In a premarket submission, FDA suggests that manufacturers should provide the following:
- A hazard analysis, mitigations, and design considerations relating to cybersecurity risks associated with the device, including justifications for established controls;
- A traceability matrix that links actual controls to the risks considered;
- A systematic plan for providing validated updates to operating systems or software to provide updated protection;
- Appropriate documentation to demonstrate that the device will be free of malware; and
- Instructions and specifications related to an anti-virus software and/or firewall that the manufacturer recommends.
Reps. Anna Eshoo (D-Calif.), Ranking Member of the Subcommittee on Communications and Technology and Co-chair of the House Medical Technology Caucus, and Ed Markey (D-Mass.), senior member of the Energy and Commerce Committee, welcomed the guidance.3 Their support comes after a 2012 Government Accountability Office Report4 that demonstrated implantable devices’ vulnerability to information security threats.
Consistent with the FDA’s good guidance practices regulation,5 the FDA’s guidance does not create or confer any rights to anyone and does not operate to bind the FDA. Companies are free to use an alternative approach, so long as the approach satisfies the requirements of the applicable statutes and regulations. But, because this guidance does represent agency action to educate the regulated industry on cybersecurity issues in premarket submissions, it should be reviewed carefully by companies developing devices.
Comments should be submitted to FDA by September 12, 2013. A copy of the guidance document is available here.6