The FDA‘s guidance on “Postmarket Management of Cybersecurity in Medical Devices”[PDF] is a complementary document for the 2014’s “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” [PDF]. The 30 pages of the guidance contain detailed recommendations, and the manufacturers of medical devices need to study them thoroughly.
The guidance is consistent with the cybersecurity guidelines set by the U.S. Government for other industries such as power grids and financial organizations and aims to protect critical infrastructures from cyber threats. Since most of the medical device manufacturing is in the private sector, the guidance also aims to facilitate cooperation between the public and private actors in preventing and mitigating cyber attacks.
#1. Medical devices: the guidance applies to medical devices containing software, firmware, programmable logic, as well as mobile medical devices and applications, and devices that are part of interoperable systems – the legacy devices already in use, or on the market.
The agency explains the scope of medical devices has increased to include any device that is connected to computer networks and can, therefore, be compromised.
#2. Patient Harm (IV): the guidance stresses the importance of risk-based assessments of cybersecurity vulnerabilities that could cause patient harm. Of note: Patient Harm replaces Essential Clinical Performance that was present in the draft version. Patient harm definition is aligned with ISO 14971.
Interestingly, the guidance excludes compromise of private data from the definition of patient harm and refers to HIPAA for privacy protection recommendations.
#3. Evaluation of Risk of Patient Harm (VI) is the key purpose of the cyber-vulnerability risk assessment that needs to define if the risk of patient harm is:
- controlled/acceptable (low probability of an exploit harming patient health)
- or uncontrolled/unacceptable (high probability of an exploit harming patient health).
The agency suggests a matrix to evaluate risk acceptability, involving:
- the exploitability of the vulnerability
- the severity of patient harm in case the vulnerability is exploited
Of special note here is the recommendation to adopt a vulnerability disclosure policy and recognize that mitigation changes may affect the device’s performance.
#4. Postmarket Considerations (V) section introduces recommendations to deploy robust cybersecurity risk management program throughout the entire product lifecycle. The FDA emphasizes that such programs must include:
- Monitoring information sources (ISAO, customer complaints, service records) for news on new vulnerabilities and threats.
- Deploying threat modeling to define how to maintain safety and essential performance.
Implementing mechanisms for monitoring third-party software for emerging vulnerabilities during the device’s entire lifecycle; and design verification and validation for software updates and patches for vulnerabilities, including those in Off-the-shelf software.
The cybersecurity program needs to be comprehensive, systematic, thoroughly documented and in compliance with the Quality System Regulation (21 C.F.R. Part 820). NIST has a guidance on cybersecurity programs for manufacturers, and the FDA’s guidance contains an Appendix “Elements of an Effective Postmarket Cybersecurity Program.” It encompasses five elements -1) identify; 2) protect or detect; 3) protect/respond/recover; 4) mitigate risks to safety and essential performance.
#5. Maintaining Safety and Essential Performance (V) links cybersecurity risk management to safety, essential performance, threat modeling, and mitigation actions.
Controlled risks can be patched in a routine update. They fall under the “cybersecurity routine updates and patches” group. These patches are not considered as repairs and do not call for reporting under 21 CFR 806. If a manufacturer holds a PMA, an annual 21 CFR 814.84 report needs to mention the patch.
Uncontrolled risks must be patched as soon as possible in the form of a patch, update or a temporary “fix” (for example, disabling the Internet connectivity). It is advisable to start with a quick temporary fix to ensure patient safety, and then proceed with a permanent patch in cases when a permanent patch takes some time to design and deploy. Manufacturers must report these fixes to the FDA (21 CFR part 806).
#6. Reporting exceptions. The FDA waives the 21 CFR 806 reporting if the three requirements are met:
- No deaths or other serious adverse events happened due to the vulnerability.
- The manufacturer has notified users of an available fix (temporary or permanent) no later than 30 days of learning of the vulnerability. The manufacturer has instructed the users on how to apply the fix.
- No later than 60 days after learning about the vulnerability, the manufacturer fixes it, validates the change and distributes the patch. The manufacturer should follow-up with end-users after the distribution of patch.
- The manufacturer is a member of an ISAC/ISAO.
#7. Criteria for Defining Active Participation by a Manufacturer in an ISAO (IX) urges the manufacturers to participate in the Information Sharing Analysis Organization.
ISAO/ISAC – Information Sharing & Analysis Committee/Organization, non-profit, industry-specific organizations created to let the members share knowledge about data security. Members of these organizations have a few legal exemptions that apply to the information they share. NH-ISAC is an ISAC, where the National Healthcare organization is a partner.
#8. Impact on Industry
The basic principles of NIST framework must be adopted in the manufacturers’ cybersecurity program. Take into account medical device cybersecurity throughout the entire product lifecycle. Pre-market, manufacturers should incorporate cybersecurity management inputs and design an approach that would determine:
- Assets and vulnerabilities;
- How threats/vulnerabilities may cause Patient Harm;
- The likelihood of threats;
- Risk levels based mitigating promptness and strategies;
- Residual risk assessment, and risk acceptance criteria.
Manufacturers must define the risk of patient harm, identify the cybersecurity vulnerabilities of their devices, assess and classify the existing risks and engage in remediation. A proper documentation of the process is expected.
Health IT community must engage in better information sharing. The FDA encourages the medical device manufacturers and the health IT community as a whole to collaborate closer in ISAO and ISAC to facilitate threats identification and remediation. The FDA Center for Devices and Radiological Health (CDRH) also encourages the fostering of ISAOs and the role of NH-ISAC. The manufacturers of medical devices should consider joining an ISAC to:
- Have access to information and intel about the cyber threats.
- Be exempt from some reporting requirements under 21 CFR 806 (uncontrolled risks).
- Have access to the community where manufacturers can share information exempt from regulatory use and civil litigation, and the federal Freedom of Information Act, given the data shared meets the requirements of the Critical Infrastructure Information Act.
Manufacturers must understand and comply with the mandatory reporting requirements under 21 CFR 806. One of the most complex points since reporting is difficult to draft and apply and raises concerns about proprietary data protection.
The FDA has been explicit that manufacturers must deploy the comprehensive cybersecurity and risk analysis – over the entire lifecycle of a medical device. The primary focus of the analysis is the risk of patient harm. The guidance includes legacy and mobile devices in the scope of medical devices, recognizing that connectivity increases the chances of a device compromise.
The good news is the reduced reporting to the agency in certain cases, and ways to disclose vulnerabilities without assuming a litigation risk.
At this point, manufacturers should acknowledge the FDA’s increasing attention to cybersecurity, and take these recommendations as seriously as possible. As medical devices become more connected and smart than ever, we can expect that some of the recommendations, if not most, could become mandatory in the foreseeable future.