On December 28, 2016, the U.S. Food and Drug Administration (“FDA”) issued its latest industry guidance about the postmarket management of cybersecurity in medical devices. In an era where medical devices are increasingly used to collect and analyze health data, and to transmit information to other networked systems and devices, cybersecurity threats potentially pose a serious risk to patient safety. The FDA’s guidance, therefore, focuses on how manufacturers can monitor, identify, and address these cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices. The guidance is available in full here, and we provide an overview of key takeaways below.
Summary of Key Points
- Risk Management Programs. Manufacturers should implement cybersecurity risk management programs that emphasize addressing vulnerabilities that could result in patient harm. Critical components of such programs include:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Maintaining robust software lifecycle processes that include mechanisms for (1) monitoring third party software components and (2) design verification and validation for software updates and patches that remediate vulnerabilities;
- Understanding, assessing, and detecting the level of risk a vulnerability poses to patient safety;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Mitigating risks (e.g., via software patches) early and prior to exploitation.
Manufacturers and other stakeholders should also consider applying the National Institute of Standards and Technology (“NIST”) Framework to Strengthen Critical Infrastructure Cybersecurity.
- Controlled/Uncontrolled Risks. The FDA’s guidance also describes how to assess whether a risk of patient harm qualifies as a “controlled” vs. an “uncontrolled” risk. This assessment is based on the likelihood of exploit, impact on device safety and performance, and the severity of harm.
Controlled risk is present when there is an acceptable residual risk due to compensating controls and mitigating measures. Controlled risks can generally be addressed through routine updates and patches (considered “device enhancements”). Device enhancements do not require reporting under 21 C.F.R. Part 806.
Uncontrolled risk is present when residual risk is unacceptable due to the inadequacy of compensating controls and mitigating measures. The actions taken to address unacceptable risks may be considered “corrections” or “removals”, which may require reporting under 21 C.F.R. Part 806. Failure to remediate uncontrolled risk may violate the Food Drug and Cosmetic Act, which can result in fines or other enforcement actions.
- ISAOs. Manufacturers are encouraged to participate in Information Sharing and Analysis Organizations (“ISAOs”), which serve as focal points for cybersecurity information sharing and collaboration. ISAOs gather and analyze critical infrastructure information in order to better understand cybersecurity issues with the goal of preventing, detecting, mitigating, and/or recovering from the effects of cyber threats. The guidance also provided criteria defining active participation by a manufacturer in an ISAO.
While the FDA’s guidance is nonbinding in nature, it does serve to clarify the FDA’s expectations for medical device manufacturers. Accordingly, manufacturers should take steps to implement the FDA’s recommendations, assess the sufficiency of their risk management programs, proactively address risks (and especially uncontrolled risks), and consider participation in an ISAO.