FDA Finalizes Cybersecurity Guidance On Postmarket Devices

The U.S. Food and Drug Administration (FDA) has released a final guidance covering management of postmarket cybersecurity vulnerabilities for marketed and distributed medical devices.

Interconnected medical devices represent an attractive target for cyber attacks but industry stakeholders have lagged behind in responding to these threats with appropriate vigor. FDA is trying to lead efforts to prioritize cybersecurity as threats against medical device and health IT systems are expected to increase in both frequency and severity, damaging critical infrastructure and endangering lives.

"The best way to combat these threats is for manufacturers to consider cybersecurity throughout the total product lifecycle of a device," explains Suzanne B. Schwartz, M.D., M.B.A., FDA’s Associate Director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health, in a blog post. "In other words, manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients."

FDA issued in October 2014 a final guidance on medical device premarket cybersecurity, and now is releasing its final guidance on postmarket cybersecurity, whose draft form was released in January.

"Because cybersecurity risks to medical devices are continually evolving, it is not possible to completely mitigate risks through premarket controls alone. Therefore, it is essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with the Quality System Regulation (21 CFR part 820), including but not limited to complaint handling, quality audit, corrective and preventive action, software validation and risk analysis, and servicing," states FDA in the 30-page final guidance.

The agency then lays out the critical components of an ideal cybersecurity risk management program, including elements consistent with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover).

Schwartz writes in the FDA blog that manufacturers should, among other things:

• Have a way to monitor and detect cybersecurity vulnerabilities in their devices
• Understand, assess, and detect the level of risk a vulnerability poses to patient safety
• Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)
• Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm

The final guidance devotes a section to remediating and reporting security vulnerabilities, reminding manufacturers that, "For cybersecurity routine updates and patches, the FDA will, typically, not need to conduct premarket review to clear or approve the medical device software changes."

Also, "Changes to a device that are made solely to strengthen cybersecurity are typically considered device enhancements, which may include cybersecurity routine updates and patches, and are generally not required to be reported, under 21 CFR part 806."

FDA likewise does not intend to enforce reporting requirements if there are no known serious adverse events or deaths associated with a known device vulnerability; or if the company implements a remediation plan to reduce the risk, and informs customers within 30 days; or implements a fix for the vulnerability within 60 days, among other conditions.

In addition, manufacturers are encouraged to actively participate as a member of an Information Sharing Analysis Organization (ISAO) that shares vulnerabilities and threats that impact medical devices, and provides the ISAO with any customer communications upon notification of its customers.

ISAOs were mandated by EO 13691, issued in 2015, to serve as focal points for cybersecurity information sharing and collaboration within the private sector as well as between the private sector and government.

FDA assures that, as cyber threats continue to evolve, so will it refine existing guidance or release new ones to help companies, providers, and patients manage these threats.

"Digital connections power great innovation—and medical device cybersecurity must keep pace with that innovation. The same innovations and features that improve health care can increase cybersecurity risks. This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done," Schwartz concludes in her blog post.