The life sciences sector is facing an increasing number of cybersecurity threats. In response to this growing issue in the medical device industry, the Food and Drug Administration (FDA) in the United States issued a draft guidance in relation to managing cybersecurity risks in the medical device industry late in January 2016 (Guidance).
A cybersecurity breach can result in compromised functionality, loss of data (including critical and sensitive information), loss of data integrity and lead to exposure of other connected devices and systems to the threat. When talking about medical devices, the stakes are high, as such an event may result in patient illness, injury or worse, death.
While the Guidance itself will not be binding, given the influential nature of the FDA it is likely that the Guidance, once finalised, will have a significant impact on industry standards and expectations in the medical device industry in particular and the life sciences sector more generally.
The Guidance covers medical devices that contain software (including firmware) or programmable logic and software that is a medical device itself. The Guidance advocates for a proactive, risk based approach to cybersecurity management throughout the entire lifecycle of the device, from inception to retirement. An important starting point in this process is defining the “Essential Clinical Performance” of the medical device. The Essential Clinical Performance is essentially the minimum performance required by the device to avoid unacceptable clinical risk. This then provides a benchmark from which to assess risk in relation to the device.
The Guidance largely focuses on the post-market phase of cybersecurity management, recommending that medical device manufacturers establish an objective process for:
A. identifying cybersecurity vulnerabilities
B. assessing exploitability of cybersecurity vulnerability
C. assessing severity impact to health
D. evaluating risk to Essential Clinical Performance
E. remediating and reporting cybersecurity vulnerability.
The Guidance also acknowledges the importance of collaboration and information sharing between a range of stakeholders in the industry, including public agencies, medical device manufacturers, information technology vendors and users, to effectively identify and address cybersecurity risk.
As the “internet of things” and e-health revolutions continue and enable the development and implementation of devices that can provide medical care and treatment to patients outside of traditional health care environments (e.g. pumps or drips that can administer drugs in the home and vary dosages without the need for a doctor or nurse to be physically present), the risks posed by cyber attacks will change across a number of vectors, including the nature and origin of the risks and the seriousness of the possible consequences. The “security by design” approach which the guidance advocates is critical in identifying, understanding and minimising the risks associated with smart, connected medical devices.