Cybersecurity in Medical Devices Part 2: General Principles
Earlier we provided you with details on FDA’s recent draft guidance on cybersecurity in medical devices. Were you left wanting more? Well if you were wishing for additional information on the Agency’s recommendations, we have just want you’re looking for!
On January 15, 2016, the FDA published a draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” which lists a number of recommendations to help medical device manufacturers protect patients from cybersecurity vulnerabilities in their devices.
The FDA acknowledges that cybersecurity in medical devices is a shared responsibility between stakeholders; these include: health care facilities, patients, providers, and manufacturers of medical devices. “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury or death.”
The draft guidance states that effective risk management is critical in reducing patient risk by decreasing the chance that a device’s functionality could be compromised due to inadequate cybersecurity. As such, it is important that manufacturers have an effective cybersecurity risk management program in place. The program should incorporate both premarket and postmarket lifecycle phases, and address cybersecurity from medical device conception to obsolescence.
On October 2, 2014, the FDA issued a guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” This guidance provides “recommendations for manufacturers to address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks.”
It is extremely important for medical device manufacturers to address vulnerabilities as thoroughly as possible before the device is on the market. However, due to the constantly changing nature of cybersecurity risks, it is not always possible to completely mitigate risks through premarket controls alone. As such, it is crucial for manufacturers to implement a comprehensive cybersecurity risk management program. Critical components of such a program include:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
- Understanding, assessing and detecting presence and impact of a vulnerability
- Establishing and communicating processes for vulnerability intake and handling
- Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk
- Adopting a coordinated vulnerability disclosure policy and practice
- Deploying mitigations that address cybersecurity risk early and prior to exploitation
Postmarket cybersecurity information can originate from various sources such as independent security researchers, in-house testing, suppliers of software or hardware technology, health care facilities, and information sharing and analysis organizations. “It is strongly recommended that manufacturers participate in a cybersecurity ISAO, as sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful postmarket cybersecurity surveillance program.”
A structured and systematic approach to risk and quality management programs is essential in managing postmarket cybersecurity risks for medical devices. “For example, such a program should include:
- Methods to identify, characterize, and assess a cybersecurity vulnerability.
- Methods to analyze, detect, and assess threat sources. For example:
- A cybersecurity vulnerability might impact all of the medical devices in a manufacturer’s portfolio based on how their products are developed.
- A cybersecurity vulnerability could exist vertically (i.e., within the components of a device) which can be introduced at any point in the supply chain for a medical device manufacturing process.
It is recommended as part of a manufacturer’s cybersecurity risk management program that the manufacturer incorporates elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover).”
The Agency recognizes that medical devices and the surrounding network infrastructure cannot be completely secured, and that the presence of vulnerabilities does not necessarily produce safety concerns. As such, vulnerabilities that do not appear to currently impact the clinical performance of the device should be regularly assessed for future impact.
Defining Essential Clinical Performance
Essential clinical performance is a concept that was developed for this [draft] guidance and “means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm.”
As part of their risk management efforts, manufacturers should define the essential clinical performance of their medical device, the resulting severity outcomes if compromised, and the risk acceptance criteria. Defining these requirements helps manufacturers to triage vulnerabilities that require remediation.
“When defining essential clinical performance, manufacturers should consider the requirements necessary to achieve device safety and effectiveness. Understanding and defining essential clinical performance is of importance in assessing a vulnerability’s impact on device performance, and in determining whether proposed or implemented remediation can provide assurance that the cybersecurity risk to the essential clinical performance is reasonably controlled. Importantly, acceptable mitigations will vary according to the device’s essential clinical performance.”
In addition to the above mentioned general principles, the draft guidance also provides a number of other recommendations, including:
- Medical Device Cybersecurity Risk Management
- Assessing Exploitability of the Cybersecurity Vulnerability
- Assessing Severity Impact to Health
- Evaluation of Risk to Essential Clinical Performance
- Remediating and Reporting Cybersecurity Vulnerabilities
- Controlled Risk to Essential Clinical Performance
- Uncontrolled Risk to Essential Clinical Performance
- Recommended Content to Include in PMA Periodic Reports
Do you have a medical device that may be susceptible to cybersecurity vulnerabilities? We can help with all of your drug and medical device needs. For more information on our services and how we can help you achieve a positive outcome with FDA, contact us today.
Additional information on FDA’s recommendations for managing cybersecurity in medical devices is available in our preceding FDA News article entitled, “Cybersecurity in Medical Deivces Part 1: Networked Medical Devices & Cybersecurity Vulnerabilities