FDA Issues New Draft Guidance on Cybersecurity in Medical Devices

April 12, 2016 | Privacy, Data & Cyber Law | Health Services

Many medical devices used in modern medical care—from pacemakers to robotic surgical equipment and CT scanners—contain embedded software.  The amount of software content built into devices doubles about every two years, as advances in computer technologies encourage production of new generations of devices with ever more functionalities.  In addition, more and more medical devices are being connected through wireless or wired connections to the internet, private intranets, and other networks so that data can be transferred between the device and other information systems.

A medical device that contains embedded software is vulnerable to cybersecurity breaches where unauthorized hackers can gain access to the device for the purposes of exfiltrating information or undermining or impeding aspects of the device or its users.  A cybersecurity breach can compromise the performance, and thus present a risk to the safety and effectiveness, of the device.  Networked medical devices pose additional risks as a cybersecurity breach can also compromise the performance of other systems that are connected to the device.

The U.S. Food and Drug Administration (“FDA”) recently has taken a number of actions to address medical device cybersecurity.   Most recently, on January 22, 2016, the FDA issued a new draft guidance document, titled Postmarket Management of Cybersecurity in Medical Devices (the “Draft Guidance”), which contains recommendations on how device manufacturers can mitigate postmarket cybersecurity threats for medical devices they market.  (The premarket management of cybersecurity during the design stage of device development was addressed by an earlier guidance document issued by the FDA in October 2014).  While the FDA’s guidance documents do not establish legally enforceable obligations, they describe the FDA’s current thinking on the topic.

The Draft Guidance recommends that medical device manufacturers take a proactive, risk-based approach to managing postmarket cybersecurity risks rather than a reactive one.  Consistent with such approach, it recommends that manufacturers implement a comprehensive cybersecurity risk management program.   The core components of such program should include the following:

A.  Identify.

Manufacturers should define the essential clinical performance of their device, the resulting severity outcomes if compromised, and the risk acceptance criteria.  Understanding and defining essential clinical performance is of importance in assessing the vulnerability of the device’s performance to a cybersecurity breach and in determining whether proposed or implemented remediations can provide assurance that the cybersecurity risk to the essential clinical performance is reasonably controlled.

B.  Protect/ Detect.

Manufacturers should also be proactive about detecting cybersecurity threats by engaging in the following:

  1. Characterizing and assessing identified vulnerabilities;
  2. Conducting cybersecurity risk analyses that include threat modeling for each of their devices and updating those analyses over time;
  3. Analyzing possible threat sources;
  4. Considering the incorporation of design features that establish or enhance the ability of the device to detect and produce forensically sound postmarket evidence captured in the event of an attack; and
  5. Having a process to assess the impact of a cybersecurity threat horizontally (i.e., across all medical devices within the manufacturer’s product portfolio) and vertically (i.e., to determine if there is an impact on specific components within the device).

C.  Protect/ Respond/ Recover.

Finally, the FDA recommends manufacturers design and assess compensating controls.  These are safeguards or countermeasures, external to the device, that would be employed by a user and that provide supplementary cyber protection for a medical device.  For example, consider a medical device that is connected to a hospital’s network.  The manufacturer may determine that a cybersecurity breach will most likely impact the device’s essential clinical performance. Assume that the manufacturer determines that the device can safely and effectively operate without access to the hospital network. In this case, the manufacturer could instruct users to configure the network to remove the ability of unauthorized/unintended access to the device from the hospital network. This type of countermeasure is an example of a compensating control.  Manufacturers should assess and prescribe to users compensating controls such that the risk to essential clinical performance is further mitigated by a defense-in-depth strategy.

Related Publications

Legal updates and news delivered to your inbox