The Food and Drug Administration (FDA) issued a release on January 26, 2016, of draft guidance on postmarket management of cybersecurity in medical devices1. The FDA has made recommendations to address the industry's vulnerabilities. The critical elements include:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understanding, assessing, and detecting the presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigations that address cybersecurity risk early and prior to exploitation2.
Some of these components are vague and will be scrutinized. The term "cybersecurity information sources" is ambiguous and undefined. Further, the adoption of a coordinated vulnerability disclosure policy may concern industry members. There is no guidance as to who will be receiving the information, whether directed to health care providers or to patients directly.
The guidance encourages interconnectedness and the sharing of information amongst devices as the FDA wants to take a "proactive, rather than reactive, postmarket cybersecurity approach" and promote the "sharing of cyber risk information and intelligence within the medical device community."3 The guidance defines this interoperability as the connection between two or more different devices or systems that allow for the availability and "sharing of information … even when products from different manufacturers are used"4. It specifically does not limit interoperability to "unidirectional patient data" but, instead, expands the definition to include "more complex interactions, such as exerting command and control over a medical device."5
The FDA also encourages "routine updates and patches" on cybersecurity.6 The FDA has set forth different rules when "controlled risks" versus "uncontrolled risks" are involved for reporting these updates to the FDA.7 "Controlled risks" are changes to the device that are routine or made solely to strengthen cybersecurity and are present when there is "sufficiently low (acceptable) residual risks that the device's essential clinical performance could be compromised by vulnerability."8 However, in the case of premarket approved (PMA) devices, any newly acquired information concerning vulnerabilities to a device must be reported. On the other hand, an "uncontrolled risk" is present when there is an "unacceptable residual risk that the device's essential clinical performance could be compromised…"9 This small subset of vulnerabilities must be reported to the FDA.
Overall, the FDA will not typically need to conduct premarket review or approve medical device software changes before they are implemented.10
1 See "Postmarket Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff" dated January 22, 2016.
3See Id.at p. 6.
6Id. at p. 8.
7Id. at p. 17-18.
8Id. at p. 17.
9Id. at p. 18.
10Id. at p. 16.
What It Means to You
The FDA's guidance remains in draft form. Industry reaction varies. Some commentators state the guidance addresses vulnerabilities in technology that impact patient safety as it encourages the use of shared data for medical purposes. Others believe the guidance is counterproductive as it places the burden on manufacturers to perform additional testing and risk management. The FDA extended its initial 60-day comment period to April 27, 2016.