Security researchers have been discussing medical device security for some time now, with some even predicting that there will be medical device ransomware attacks this year. It is therefore timely that the US Food and Drug Administration (FDA) – which oversees medical devices – recently issued two pieces of draft guidance.
In one document, the FDA addresses post-market management of cybersecurity in medical devices. In the second document, the FDA addresses interoperable medical devices, and much of its guidance involves cybersecurity issues. The FDA will accept comments on its draft guidance for a brief period of time. Below, we provide our analysis of the FDA’s guidance.
Postmarket Management of Cybersecurity in Medical Devices
The FDA’s draft cybersecurity guidance applies to medical devices that contain software (including firmware) or programmable logic, and software that is a medical device. While the FDA recognizes that device cybersecurity is a shared responsibility between stakeholders including health care facilities, patients, providers, and manufacturers of medical devices, the FDA’s guidance is directed at device manufacturers – the entities within its jurisdiction.
Initially, the FDA cautions that effective risk management is necessary – both premarket and at post-market stages – and suggests that manufacturers apply the NIST Framework for Improving Critical Infrastructure Cybersecurity, which is consistent with the FDA’s guidance. The FDA also recommends that device manufacturers choose to participate in an Information Sharing and Analysis Organization (ISAO) – and incentivizes such conduct by relaxing reporting requirements in certain situations for manufacturers that choose to participate.
The FDA recommends that a device manufacturer have a “structured and systematic approach to risk management and quality management systems” to address “continually evolving” risks, consistent with the Quality System Regulation, 21 CFR Part 820. Key points from the FDA’s detailed guidance are:
- Companies should define “essential clinical performance” – which is “performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer,” along with the resulting severity outcomes if compromised, and the risk acceptance criteria. This process will allow companies to triage vulnerabilities for remediation.
- A manufacturer should establish, document, and maintain throughout the medical device lifecycle an ongoing process for identifying cybersecurity risks, evaluating and controlling risks, and monitoring the effectiveness of the controls. To assist with the vulnerability assessment and triage, the FDA suggests using or adapting an existing assessment tool or similar scoring system, such as the “Common Vulnerability Scoring System,” Version 3.0.
- Manufacturers should have a process for determining the severity of the impact to health if a cybersecurity vulnerability were to be exploited. Although the FDA notes that there are many potentially acceptable approaches, the guidance specifically mentions ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices.
- The FDA suggests assessing the acceptability of risk to essential clinical performance – one method of doing so is plotting on a chart the ease of exploitability (e.g., high, medium, low) on one axis, and severity impact to health if the vulnerability is exploited (e.g., negligible to catastrophic). For instance, a highly-exploitable risk with a serious impact to health may be an uncontrolled risk requiring remediation, but if that same risk was extremely difficult to exploit, a manufacturer may be able to consider that risk controlled.
Based on the vulnerability assessment, a manufacturer should remediate – and in some cases, report – cybersecurity vulnerabilities:
- The FDA “generally” does not require reporting of changes to a device that are made “solely to strengthen cybersecurity,” such as cybersecurity routine updates and patches. However, periodic reporting requirements apply for premarket approval devices.
- Where there is uncontrolled risk, the FDA recommends that a manufacturer implement changes or compensating controls. The FDA recommends that where an official fix may not be feasible or immediately practicable, manufacturers should identify and implement risk mitigations and compensating controls, which may include a work-around or temporary fix. The FDA also explains circumstances where vulnerabilities should be reported. Under certain circumstances, participation in an ISAO, such as NH-ISAC, may excuse certain reporting obligations.
Our colleagues at the Health Law Pulse have also provided a detailed summary of the FDA’s draft guidance with special focus on content to be included in periodic reporting for premarket approval devices. Please see their post for an excellent summary of the draft guidance.
Guidance for Interoperable Medical Devices
Although cybersecurity is not the sole focus of the FDA’s document titled “Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices,” security concerns underlie much of the guidance dated January 26. For instance, the FDA recommends that device manufacturers:
- Conduct a risk analysis during the design and development process to consider risks associated with interoperability, reasonably foreseeable misuse (including inappropriate access to the device), and reasonably foreseeable combinations of events that can result in a hazardous situation.
- Define the purpose of the data interface and identify the level of interoperability needed to achieve the purpose, which would include considerations regarding the types of devices intended to be connected to, types of data exchange taking place, and the expected flow of information including acceptable and unacceptable commands.
- Consider the anticipated users of the device and ensuring that sufficient information is made available to these users to ensure that the data interface is used safely and effectively. For instance, IT professionals must understand the security requirements of the devices connected to the networks they maintain and operate, while system integrators must understand the capabilities of the device to perform adequate risk management and validation.
- Analyze security risks due to intended and unintended access of the medical device through an electronic data interface, while ensuring that basic safety and essential performance is maintained during normal and fault conditions.
The FDA also provides recommendations for premarket submissions. The FDA guides that information regarding security risks, risks from normal use and reasonably foreseeable misuse, and how the device operates under fault conditions, should also be addressed.
The FDA’s two recent guidance documents demonstrate that cybersecurity for medical devices is a priority for the FDA. The FDA is advocating a proactive approach to cybersecurity by encouraging companies to think about vulnerabilities, risk, and mitigation efforts throughout the medical device lifecycle. As these documents are still in draft form, medical device manufacturers may wish to closely review the guidance while the FDA is accepting comments. Comments on the cybersecurity guidance are due by April 21, 2016, and comments regarding the interoperability guidance are due by March 26, 2016.