The Food and Drug Administration’s (FDA) most recent draft guidance focuses on cybersecurity in postmarket medical devices and makes recommendations for identifying, assessing, and responding to cybersecurity vulnerabilities. The draft guidance, issued January 22, 2016, applies to medical devices that contain software (including firmware) and software that is a medical device.
The draft guidance follows the October 2014 guidance on cybersecurity in premarket medical devices, which recommended that developers and manufacturers consider cybersecurity risks as part of the design and development of medical devices. The guidance recommends they submit documentation to the FDA about those risks and the controls in place to mitigate them. The guidance also supplements the information addressed in the FDA’s previously issued guidance on cybersecurity for networked devices containing OTS software.
In its most recent guidance, the FDA recommends manufacturers of medical devices monitor, identify, and address cybersecurity vulnerabilities as part of their postmarket management of medical devices. Manufacturers should develop comprehensive risk management programs that include:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
- Understanding, assessing, and detecting the presence and impact of a vulnerability
- Establishing and communicating processes for vulnerability intake and handling
- Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk
- Adopting a coordinated vulnerability disclosure policy and practice
- Deploying mitigations that address cybersecurity risk early and prior to exploitation
The FDA also strongly recommends manufacturers join an Information Sharing and Analysis Organization (ISAO) as a way to promote collaboration among manufacturers. The FDA believes that sharing information about cybersecurity risks can enhance management of individual vulnerabilities and allow others in the medical device community to collectively enhance cybersecurity.
As a part of the risk management process, the draft guidance recommends manufacturers maintain through the device lifecycle an ongoing process for identifying cybersecurity hazards, estimating, evaluating, and controlling the associated risks, and monitoring the effectiveness of the controls. This process should focus on assessing the risk to the device’s essential clinical performance (i.e., the performance that is necessary to achieve freedom from unacceptable clinical risk as defined by the manufacturer) based on the exploitability of the cybersecurity vulnerability and the severity of the potential impact on health. Based on the relationship between the two factors, manufacturers could determine whether a particular vulnerability poses a low risk of compromising the device’s essential clinical performance (a ”controlled risk”) or a high risk (an ”uncontrolled risk”).
The draft guidance also gives recommendations for remediating risks and reporting vulnerabilities. Most routine cybersecurity updates and patches do not require notification, premarket review, or reporting. Manufacturers are not required to report controlled risks and can update devices without notification, premarket review, or reporting because the update will be considered a routine update or patch. For uncontrolled risks, FDA notification may be required. The FDA, however, will not require notification for uncontrolled risks if there are no known serious adverse effects or deaths associated with the risk; if the manufacturer notifies users and addresses the issue within 30 days of learning of the vulnerability; and the manufacturer is a member of an ISAO.
Similar to previous guidance issued on cybersecurity, the FDA’s most recent guidance signals the FDA’s continued focus on the evolving and complicating role that technology is playing in the health care industry.
Ballard Spahr’s Privacy and Data Security Group monitors legislative and regulatory developments at both the federal and state levels and can assist with establishing or enhancing cybersecurity programs.