By Michele L. Buenafe and Heather A. Dorsey
The new Draft Guidance is one of a string of recent actions taken by FDA to address overall medical device cybersecurity.
Recognizing the growing importance of cybersecurity for medical devices and the potential public health risks that could result from inadequate postmarket cybersecurity management, the US Food and Drug Administration (FDA) issued a new draft guidance document on January 22, 2016: Postmarket Management of Cybersecurity in Medical Devices (Draft Guidance). This new Draft Guidance is one of a string of recent actions taken by FDA to address overall medical device cybersecurity. For example, FDA just concluded a two-day public workshop titled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity” on January 21, 2016. FDA also finalized a 2014 guidance document with recommendations for cybersecurity management information and content for medical device premarket submissions.In this new Draft Guidance, FDA emphasizes that cybersecurity risks must be managed throughout a medical device’s lifecycle, from conception to obsolescence. To that end, the Draft Guidance outlines FDA’s recommendations for postmarket cybersecurity risk management, remediating cybersecurity vulnerabilities, and the applicability of various reporting requirements for cybersecurity changes and updates. Once finalized, the Draft Guidance will apply to medical devices that contain software or programmable logic, as well as software that is a medical device (i.e., standalone software devices). Thus, manufacturers of such devices should evaluate how the Draft Guidance affects their products.
Medical Device Cybersecurity Risk Management
The Draft Guidance states that cybersecurity risk-management processes should be documented throughout a device’s lifecycle and should be an ongoing, recursive process of identifying, estimating, evaluating, controlling, and monitoring risks to the effectiveness of controls. FDA also emphasizes that these processes should focus on assessing the risk to a device’s “essential clinical performance,” a new term developed by FDA for this Draft Guidance. The Draft Guidance defines the term to mean the “performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer” and further states that the “compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm.” Key processes identified in the Draft Guidance for postmarket cybersecurity risk management include assessing the exploitability of the cybersecurity vulnerability, assessing the potential severity of the health effect to patients, and evaluating the risk to essential clinical performance. FDA recommends that manufacturers make a binary determination about whether a risk to essential clinical performance is either “controlled” (acceptable) or “uncontrolled” (not acceptable) based on the combined evaluation of exploitability and severity of effect to health.The Draft Guidance also states that FDA views voluntary participation in an Information Sharing and Analysis Organization (ISAO) to be a “critical component of a medical device manufacturer’s proactive postmarket cybersecurity plan” and “strongly recommend[s]” that device manufacturers participate in a cybersecurity ISAO.
Reporting Cybersecurity Vulnerabilities
The Draft Guidance includes recommendations with regard to the reportability of actions taken by device manufacturers to address identified cybersecurity vulnerabilities. Generally, actions taken to address controlled risks will not require reporting under FDA’s regulations for corrections and removals at 21 C.F.R. Part 806. Actions taken to address uncontrolled risks may trigger Part 806 reporting. Significantly, however, FDA states its intent to exercise enforcement discretion for reporting actions to address uncontrolled risks, if all of the following conditions are met:
1) There are no known serious adverse events or deaths associated with the vulnerability
2) Within 30 days of learning about the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users
3) The manufacturer is a participating member of an ISAO, such as the National Health Information Sharing and Analysis Center.