3 Important Changes in FDA's Final Guidance for Postmarket Medical Device Cybersecurity

Postmarket Cybersecurity Recommendations for Medical Devices

On December 28th, The US Food and Drug Administration (FDA) issued its finalized guidance for postmarket cybersecurity management for medical devices.

Most of the recommendations in the final guidance are in line with the draft version released last January, however regulators have made some important changes, specifically related to cybersecurity vulnerability disclosure, participating in Information Sharing Analysis Organizations (ISAOs) and remediating and reporting medical device cybersecurity vulnerabilities.

The Final Guidance

In general, the final guidance offers details into a framework for medical device manufacturers to establish a postmarket cybersecurity risk management program, with specific criteria for reporting vulnerabilities depending on the risk posed to patients.

Manufacturers should now consider cybersecurity not as a separate concern, but an essential part of a product's total lifecycle.

The final guidance includes a newly-expanded list of critical components for a medical device cybersecurity risk management program which should be considered for the lifecycle of a software process. These include monitoring third party software for possible new vulnerabilities and validating software updates or patches designed to address vulnerabilities.

We've taken a closer look at the three significant changes in the final guidance below.

1. Disclosing and Reporting Medical Device Cybersecurity Vulnerabilities

In the final guidance, regulators recommend manufacturers implement a disclosure policy "acknowledging the receipt of the initial vulnerability report to the vulnerability submitter."

This provision addresses a concern among security experts that some companies don't respond once they receive a vulnerability report regarding their products.

In addition to responses, the guidance also clarifies when cybersecurity vulnerabilities should be reported in the first place.

Just as in the draft guidance, the final recommendations hold that manufacturers will not need to report actions taken to enhance a device's cybersecurity or address vulnerabilities, except in "a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may result in patient harm."

The change pertains to examples of situations where a device change would be considered a routine update or patch, and as such, not be required for reporting under 21 CFR Part 806.

2. Participating in ISAOs

Absent from the draft guidance was a definition of "active participation" in an ISAO, which we've included here:

  • "The manufacturer is a member of an ISAO that shares vulnerabilities and threats that impact medical devices;
  • The ISAO has documented policies pertaining to participant agreements, business processes, operating procedures, and privacy protections;
  • The manufacturer shares vulnerability information with the ISAO, including any customer communications pertaining to cybersecurity vulnerabilities; and
  • The manufacturer has documented processes for assessing and responding to vulnerability and threat intelligence information received from the ISAO. This information should be traceable to medical device risk assessments, countermeasure solutions, and mitigations."

Both the draft and final versions of the guidance recommend that device manufacturers participate in ISAOs and require active participation to avoid reporting certain cybersecurity related activity to the FDA.

 

3. Remediating Medical Device Cybersecurity Vulnerabilities

Along with the reporting measures described above, FDA has altered the criteria for needed to be met to avoid reporting uncontrolled vulnerabilities.

These include actions device companies must take within 30 days of discovering a new vulnerability—allowing for 60 days to fix it, validate a change to the product, and distribute a fixed product to consumers.

[Free White Paper:] The Complete Guide to Remediation Projects

Both versions of the guidance recommend manufacturers conduct a cybersecurity vulnerability assessment, in addition to other measures, to determine the risk of patient harm and categorize risks as "controlled" or "uncontrolled." The final guidance lays out the following actions to take within 30 days of learning of a vulnerability:

• Communicate with customers and user community regarding the vulnerability

• Identify interim compensating controls

• Develop a remediation plan to bring the residual risk to an acceptable level

With only a short window of time to develop a comprehensive remediation plan which adequately addresses root cause, it's important to consider all options at your disposal in order to develop an effective plan.

Contact us today to learn more about our remediation services. We pair you with experienced quality professionals to craft comprehensive remediation projects, communicate those plans to regulators, and execute on them through to completion. 

Topics: In the News, Medical Devices, FDA Compliance