4 Feb 2016
FDA Issues Additional Guidance on Cybersecurity of Medical Devices
The Food and Drug Administration has issued a draft guidance document with non-binding recommendations to manufacturers as part of on-going efforts to better manage cybersecurity risks and protect patient health and personal information. The FDA is recommending that in addition to following the specific recommendations contained in this guidance, manufacturers should address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.
The guidance document clarifies the FDA’s post-market recommendations and emphasises that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post-market management of medical devices. For the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches” for which the FDA does not require advance notification or reporting under 21 CFR part 806. For a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would have to be notified.
An effective cybersecurity risk management programme should incorporate both pre-market and post-market lifecycle phases and address cybersecurity from medical device conception to obsolescence. It is recommended that manufacturers apply the “NIST Framework for Improving Critical Infrastructure Cybersecurity” (i.e., identify, protect, detect, respond and recover) in the development and implementation of their comprehensive cybersecurity programmes.
An October 2014 guidance document clarified recommendations for manufacturers to address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks. According to that document, manufacturers should establish design inputs for their devices related to cybersecurity and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis required by 21 CFR 820.30(g). The approach should appropriately address the following elements.
- identification of assets, threats and vulnerabilities
- assessment of the impact of threats and vulnerabilities on device functionality and end users/patients
- assessment of the likelihood of a threat and of a vulnerability being exploited
- determination of risk levels and suitable mitigation strategies
- assessment of residual risk and risk acceptance criteria
Because cybersecurity risks to medical devices are continually evolving it is not possible to completely mitigate risks through pre-market controls alone. Therefore, the FDA believes that manufacturers should implement comprehensive cybersecurity risk management programmes and documentation consistent with the Quality System Regulation (21 CFR part 820), including complaint handling (21 CFR 820.198), quality audit (21 CFR 820.22), corrective and preventive action (21 CFR 820.100), software validation and risk analysis (21 CFR 820.30(g)) and servicing (21 CFR 820.200).
According to the FDA, these programmes should emphasise addressing vulnerabilities that may permit the unauthorised access, modification, misuse or denial of use, or the unauthorised use of information that is stored, accessed or transferred from a medical device to an external recipient and may impact patient safety. Manufacturers should respond in a timely fashion to address identified vulnerabilities. Critical components of such a programme include the following.
- monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
- understanding, assessing and detecting the presence and impact of a vulnerability
- establishing and communicating processes for vulnerability intake and handling
- clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk
- adopting a co-ordinated vulnerability disclosure policy and practice
- deploying mitigations that address cybersecurity risk early and prior to exploitation
Post-market cybersecurity information may originate from an array of sources, including independent security researchers, in-house testing, suppliers of software or hardware technology, health care facilities, and information sharing and analysis organisations. The FDA strongly recommends that manufacturers participate in a cybersecurity information sharing analysis organisation, as sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful post-market cybersecurity surveillance programme.
To manage post-market cybersecurity risks for medical devices a company should have a structured and systematic approach to risk management and quality management systems consistent with 21 CFR part 820. For example, such a programme should include methods to identify, characterise and assess a cybersecurity vulnerability as well as methods to analyse, detect and assess threat sources. A cybersecurity vulnerability might impact all of the medical devices in a manufacturer’s portfolio based on how its products are developed, or a cybersecurity vulnerability could exist vertically (i.e., within the components of a device), which can be introduced at any point in the supply chain for a medical device manufacturing process.
Manufacturers should define, as part of risk management, the essential clinical performance of their device, the resulting severity outcomes if compromised, and the risk acceptance criteria. When defining essential clinical performance manufacturers should consider the requirements necessary to achieve device safety and effectiveness. Understanding and defining essential clinical performance is of importance in assessing a vulnerability’s impact on device performance and in determining whether proposed or implemented remediation can provide assurance that the cybersecurity risk to the essential clinical performance is reasonably controlled. Importantly, acceptable mitigations will vary according to the device’s essential clinical performance. For example, a cybersecurity vulnerability affecting the essential clinical performance of a thermometer may be quite different than a cybersecurity vulnerability affecting the essential clinical performance of an insulin infusion pump.
As part of their risk management process consistent with 21 CFR part 820, manufacturers should also establish, document and maintain throughout the medical device lifecycle an on-going process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks, and monitoring the effectiveness of the controls. This process should include risk analysis, risk evaluation, risk control, and incorporation of production and post-production information. Manufacturers should also have a defined process to systematically conduct a risk evaluation and determine whether a cybersecurity vulnerability affecting a medical device presents an acceptable or unacceptable risk.
Based on the vulnerability assessment, the exploitability of an identified vulnerability and its severity impact to health can help determine the extent of the compromise to the essential clinical performance of a device and can be categorised as either “controlled” (acceptable residual risk) or “uncontrolled” (unacceptable residual risk). When determining how to manage a cybersecurity vulnerability, manufacturers should incorporate already implemented compensating controls and risk mitigations into their risk assessment. The FDA encourages efficient, timely and on-going cybersecurity risk management for marketed devices by manufacturers. For cybersecurity routine updates and patches, the FDA will typically not need to conduct pre-market review to clear or approve the medical device software changes. In addition, manufacturers should do the following.
- proactively practice good cyber hygiene and reduce cybersecurity risks even when residual risk is acceptable
- remediate cybersecurity vulnerabilities to reduce the risk of compromise to essential clinical performance to an acceptable level
- conduct appropriate software validation under 21 CFR 820.30(g) to assure that any implemented remediation effectively mitigates the target vulnerability without unintentionally creating exposure to other risks
- properly document the methods and controls used in the design, manufacture, packaging, labelling, storage, installation and servicing of all finished devices as required by 21 CFR 503 part 820
- identify and implement compensating controls, such as a work-around or temporary fix to adequately mitigate the cybersecurity vulnerability risk, especially when an “official fix” may not be feasible or immediately practicable
- consider the level of knowledge and expertise needed to properly implement the recommended fix
- provide users with relevant information on recommended work-arounds, temporary fixes and residual cybersecurity risks so that they can take appropriate steps to mitigate the risk and make informed decisions regarding device use