There has been a groundswell of effort by the U.S. Government to address growing cybersecurity risks in industry sectors from finance to energy. This first week of National Cyber Security Awareness Month has brought with it a continuation of the Government’s effort to provide cybersecurity guidance to industry. This most recent effort is focused on the medical device arena with the U.S. Department of Health and Human Service’s (“HHS”) release of a guidance document entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”
The goal of the HHS guidance document is to encourage medical device manufacturers to address cybersecurity issues early during design and development of the medical device. With this in mind medical device manufactures can develop a set of controls to assure security and maintain functionality and safety of medical devices, to avoid potential risk of patient illness, injury or death.
The HHS guidance document has its foundation in the Framework for Improving Critical Infrastructure Cybersecurity released earlier this year (previous article at 7-8) and recommends that manufactures consider that framework’s core functions, namely “Identify”, “Protect”, “Detect”, “Respond”, and “Recover”. In the context of the HHS guidance document these functions can be summarized as follows:
- Identify: identify the risks associated with the device (e.g., is it a network connected device, does it have accessible data ports, where will it be used);
- Protect: provide the appropriate level of security for the risk (e.g., limit access, use strengthened passwords, use physical locks) and provide justification for the chosen security functions;
- Detect: implement device features that allow security compromises to be detected;
- Respond: provide a response plan to end users regarding actions to take following detection of a cybersecurity breach; and
- Recover: provide a method for retention and recovery of device configurations.
The HHS guidance document concludes with recommendations regarding what information manufactures should provide in their premarket medical device submission related to cybersecurity, including:
- “hazard analysis, mitigations and design considerations” regarding the cybersecurity risks associated with your device;
- a “traceability matrix” linking your cybersecurity controls to the considered risks;
- a summary describing a plan for providing software updates and patches to maintain device safety and effectiveness;
- a summary describing a plan to prevent introduction of malware from the point of origin to the point at which the device leaves the manufacturer’s control; and
- device instructions for recommended cybersecurity controls in the given environment (e.g., use of firewalls or anti-virus software).
The HHS guidance recommends that this information should be provided in the following premarket submission: Premarket Notifications, De novo submissions, Premarket Approval Applications, Product Development Protocols, and Humanitarian Device Exemption submissions.
While the HHS guidance document does not establish legally enforceable responsibilities, device manufactures should take notice. A failure to pay heed may result in inadequate cybersecurity measures that most importantly may risk harm to patients, but also may damage the company’s reputation and create increased liability risks should a breach occur.