Data Protection Report - Norton Rose Fulbright

On December 28, 2016, the U.S. Food and Drug Administration (FDA) released final guidance on the management of cybersecurity vulnerabilities for marketed and distributed medical devices.  The guidance establishes a risk-based approach for the reporting of medical device cybersecurity vulnerabilities to the FDA.

The FDA guidance reflects the agency’s concerns that cybersecurity vulnerabilities in networked medical devices could affect a device’s performance and functionality, potentially exposing sensitive personal information or causing serious harm to patients. Recent ransomware attacks on hospitals have only highlighted these concerns. 

In issuing this guidance, the FDA turns its attention to “postmarket” cybersecurity vulnerabilities – meaning vulnerabilities discovered after a device is already on the market (as opposed to “premarket,” or during the design and development phase). With this guidance, the FDA acknowledges that, “[b]ecause cybersecurity risks to medical devices are continually evolving, it is not possible to completely mitigate risks through premarket controls alone.” Therefore, device manufacturers should establish a postmarket strategy for cybersecurity controls.

FDA Guidance

The guidance sets out specific measures that medical device manufacturers should take to manage postmarket cybersecurity vulnerabilities. The recommendations address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.

The FDA recommends that manufacturers implement a structured and comprehensive program to manage cybersecurity risks that emerge after a device is already on the market.  As part of the recommended program, medical device manufactures should:

  • Monitor their devices for risks.
  • Implement and maintain a system for assessing and responding to reports of cybersecurity issues. In establishing such a system, the FDA recommends the adoption of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.
  • Participate in Information Sharing Analysis Organizations (ISAOs) that share information on threats and vulnerabilities.

The guidance further recommends that, as part of medical device manufacturers’ risk management process as required under 21 CFR Part 820, manufacturers implement a process for objectively assessing whether a cybersecurity risk for their device(s) should be reported to the FDA. To assess whether reporting is necessary, the FDA advises manufactures to consider:

  1. The exploitability of the cybersecurity vulnerability; and
  2. The severity of the health impact to patients if the vulnerability were exploited.

The guidance also offers several ways to remedy cybersecurity vulnerabilities, based on the type of device and the risk of the vulnerability.  Notably, actions that a manufacturer takes to remediate vulnerabilities that may jeopardize individuals will require notification to the FDA under existing guidance, which covers reporting on corrections and removals of medical devices.

Our Take

The FDA guidance recognizes that cybersecurity vulnerabilities can pose serious threats to patients’ health, while also acknowledging that not all cybersecurity vulnerabilities can be addressed before a device enters the market.  In focusing on postmarket cybersecurity issues, the FDA is advocating for manufacturers’ responsibility for monitoring and addressing of medical device cybersecurity risks throughout the devices’ lifecycle.  The guidance provides medical device manufacturers with actionable steps that they can take to protect devices from cybersecurity breaches that could result in patient harm and liability.  While the guidance is non-binding, manufacturers should consider complying with the guidance in anticipation of further regulations.  Given the FDA’s increased focus on cybersecurity, and the apparent recognition by the incoming administration of the cybersecurity risk facing the US, more formal regulation may be forthcoming.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.