Food And Drug Administration Issues Draft Guidance On Cybersecurity In Medical Devices

Contributed by Kristin A. Biedinger

On January 22, 2016, the Food and Drug Administration (“FDA”) released draft guidance regarding postmarket management of cybersecurity risks in medial devices[1].  This guidance comes over a year after the FDA issued similar guidance regarding cybersecurity risks in premarket submissions for medical devices.  This article provides a summary of the FDA guidance, which sets forth recommendations for developing and implementing a cybersecurity plan for medical devices.

The guidance is broken down into three main sections: (1) identify, (2) protect and detect, and (3) protect, respond, and recover.

  1. Identify

The guidance states that manufacturers should first define the essential clinical performance of their devices.  Essential critical performance is defined as “performance that is necessary to achieve freedom from unacceptable clinical risk.”  By identifying the essential critical performance, manufacturers can assess potential vulnerabilities and plan for remediation.  Manufacturers should also identify cybersecurity signals and report them as necessary.  Cybersecurity signals are defined as “any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device.”

Manufacturers should develop and implement a reliable and reproducible intake method for handling vulnerability information.  It is also recommended that manufacturers implement detection mechanisms into their devices to not only increase the detection capability of the devices but also provide a method for capturing forensically reliable evidence in the event a cybersecurity event occurs.

  1. Protect and Detect

To enable manufacturers to remediate cybersecurity events, Manufacturers should characterize and assess all identified vulnerabilities.  Scoring systems, such as the Common Vulnerability Scoring Systems, are valuable tools that manufacturers can use to ensure all relevant factors are considered and provide a consistent means for evaluating these factors.  Cybersecurity risk analysis should also include threat modeling.  These models can be used by manufacturers to develop and implement remediation measures in the event of a cybersecurity event.  Potential sources of threats should be evaluated as part of this threat modeling.

As stated above, manufacturers should evaluate the potential of incorporating detection mechanisms within the actual devices themselves and not rely merely on the detection capabilities of the associated network.  Further, manufacturers should have procedures for evaluating cybersecurity signals horizontally, across all medical devices in a manufacturer’s portfolio, and vertically to determine the potential impact of components of the device itself.

  1. Protect, Respond, and Recover

Manufacturers should implement sufficient compensating controls.  Compensating controls are defined as a “safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of sufficient controls that were designed in by a device manufacturer, and that provides supplementary or comparable cyber protection for a medical device.”  Lastly, manufacturers should determine if the risks presented by the essential clinical performance are appropriately mitigated and controlled by the existing device features or other compensating controls.

After this analysis, manufacturers may determine that changes must be made to the medical device to reduce cybersecurity risks.  Changes that improve performance or quality of the medical device are considered enhancements and not recalls as long as the changes to not impact the essential critical performance.  For example, patches and routine updates are considered to be enhancements by the FDA.

This guidance stresses the need for manufacturers of medical devices to reduce cybersecurity risks throughout the product life cycle by developing and implementing a cybersecurity plan.  A failure to do so could result in patient illness or even death.

The FDA is seeking comments on this draft guidance. Comments can be sent electronically to http://www.regulations.go or to the Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852.  The full text of the guidance can be accessed here: http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

[1] Medical devices are defined by the guidance as (1) medical devices that contain software (including firmware) or programmable logic, or (2) software that is a medical device.

For additional information, please contact Kristin Biedinger.