In January of 2016, FDA released new guidelines for postmarket cybersecurity measures in medical devices.
These offer a number of best practices designed to assess and manage digital security vulnerabilities while detailing potential situations where hackers could gain access to patient records, or to the functions of a device itself.
While most of us are well aware of vulnerabilities to hacking when it comes to personal information, medical devices—especially those connected to a network—can be prime targets for malicious actors.
Security and the "Internet of Things"
Networked medical devices fall under the broader umbrella of the “Internet of Things” (IoT), which in its most basic definition, includes anything that has an on/off switch and an internet connection.
Analysts from Gartner predict there will be more than 21 billion connected devices by 2020, making cybersecurity an obvious concern.
Free White Paper: FDA Trends & Developments for the Medical Device Industry: 2016But these come amid FDA's ongoing efforts to open new pathways for expediting devices to market. In an attempt to ensure cybersecurity measures are taken, even for fast-tracked devices, the Agency has laid out a few primary suggestions:
1. Address security and privacy during product design and development
The approach outlined in the Premarket Guidance provided that a device manufacturer’s premarket approach should identify assets, threats, vulnerabilities, assess the impact of threats and vulnerabilities on device functionality and end users/patients, determine risk levels and suitable mitigation strategies, and evaluate residual risks and risk acceptance criteria.
Since cyber risks are continually evolving, pre-market controls cannot alone address all potential risks.
Device manufacturers should therefore implement a comprehensive risk management program consistent with the FDA’s requirements contained in Quality System Regulation (21 CFR §820) including but not limited to complaint handling (21 CFR §820.198), quality audit (21 CFR §820.22), corrective and preventive action (21 CFR §820.100), software validation and risk analysis (21 CFR §820.30(g)) and servicing (21 CFR §820.200).
2. Put a post-market cybersecurity risk management program in place
This should apply to the 2018 National Institute of Standards and Technology (“NIST”) voluntary “Framework for Improving Critical Infrastructure Cybersecurity.”
3. Evaluate the risks of essential clinical performance
FDA notes that not all cybersecurity vulnerabilities present patient safety concerns and recommends that device manufacturers define essential clinical performance for their products.
4. Identify vulnerabilities and assess risks
The Draft Guidance mentioned earlier suggests that the risks to a device’s clinical performance should be evaluated by considering:
- The exploitability of the cybersecurity vulnerability; and
- the severity of the health impact to patients if the vulnerability were to be exploited
5. Remediate and report
FDA notes that the purpose of conducting a risk assessment and determining what vulnerabilities exist is critical to determining whether the vulnerabilities identified are “controlled” (acceptable risk) or “uncontrolled” (unacceptable risk).
Preparing for medical device cybersecurity threats
Device manufacturers can take steps now to address this guidance by establishing a cybersecurity risk management program. Here’s a model to follow:
- Identify cybersecurity signals
- Assess and characterize vulnerabilities
- Analyze risks and model risks
- Incorporate threat detection capabilities
- Assess compensating controls
- Mitigate the risks of essential clinical performance
- Respond promptly when security gaps are identified
Publishing updates and reporting to FDA per 21 CFR §806
As stated in the recent Guidance, changes to a device made only to strengthen its cybersecurity capabilities are typically considered device enhancements and don’t require reporting.
Examples of this may include routine cybersecurity updates and patches. However, per 21 CFR §806.10(a), device manufacturers must report any manufacturer-initiated correction or removal of a device to reduce health risks posed by the device, or to resolve a violation of the FD&C Act which may present a risk to patient health. The exception to this rule is clearly laid out in the recent guidance:
[A]ny regularly scheduled security updates or patches to a device, including upgrades to the firmware, firmware, programmable logic, hardware, or security of a device to increase device security as well as updates or patches to address vulnerabilities associated with controlled risk performed earlier than their regularly scheduled deployment cycle even if they are distributed to multiple units .... [They] may also include changes to product labeling, including the instructions for use, to strengthen cybersecurity through increased end-user education and use of best practices.” - Postmarket Management of Cybersecurity in Medical Devices
Want to learn more about current regulatory and compliance happenings in the medical device industry? Grab our free white paper: FDA Trends & Developments for the Medical Device Industry: 2016