By Jof Enriquez,
Follow me on Twitter @jofenriq
The U.S. Food and Drug Administration (FDA), through a draft guidance, is urging device makers to assess cybersecurity risks of medical devices in the post-market setting, and to report to the agency certain vulnerabilities that could endanger patients' lives.
“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships, and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health (CDRH), in a release. “Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”
CDRH has identified cybersecurity as one of ten regulatory science priorities for 2016 amid growing concerns of hacking and device-specific vulnerabilities triggering safety alerts.
The agency previously issued final guidance for premarket cybersecurity management during the design stage of device development. The latest draft guidance, Postmarket Management of Cybersecurity in Medical Devices, enjoins manufacturers to create "a structured and systematic comprehensive cybersecurity risk management program" consisting of:
- Applying the 2014 National Institute of Standards and Technology (NIST) voluntary Framework for Improving Critical Infrastructure Cybersecurity
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
- Understanding, assessing and detecting presence and impact of a vulnerability
- Establishing and communicating processes for vulnerability intake and handling
- Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk
- Adopting a coordinated vulnerability disclosure policy and practice
- Deploying mitigations that address cybersecurity risk early and prior to exploitation
As an example, FDA recommends that manufacturers conduct a matrix-based cyber-vulnerability risk assessment to evaluate whether the risk is part of the essential clinical performance of the device, and whether it’s controlled (acceptable) or uncontrolled (unacceptable). The agency may require certain vulnerabilities to be reported, according to RAPS.
“For a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the Agency,” FDA states in the guidance. Most other types of cybersecurity vulnerabilities requiring routine patches need not be reported.
Related, FDA has tapped the assistance of non-profit, federally funded R&D group Mitre to formulate a "Common Vulnerability Scoring System to serve as a vulnerability assessment tool that would be meaningful to the clinical environment, and directly applicable to medical devices," according to Health IT News.
The agency will discuss the draft guidance with stakeholders in a public workshop, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity,” on January 20-21, 2016. Also on the agenda is highlighting collaborative efforts and increasing awareness of existing maturity models used to evaluate cybersecurity status, standards, and tools in development.
Joshua Corman, founder of I Am The Cavalry, a cybersafety advocacy group that worked with the FDA on the guidance, praised the agency for issuing its latest recommendations on cybersecurity, according to Reuters.
"I have found the FDA has been very forward thinking to get out in front of this and not wait for proof of harm before acting," he reportedly told the news outlet.