Is Your Medical Device Cybersecure? FDA Issues Draft Guidance on Postmarket Cybersecurity in Medical Devices

Recently, the U.S. Food and Drug Administration (FDA) issued draft guidance outlining the agency's recommendations for Postmarket Management of Cybersecurity in Medical Devices. The guidance is applicable to medical devices that contain software (including firmware) or programmable logic, as well as software that meets the definition of a medical device.  The guidance does not apply to experimental or investigational medical devices. Comments on the draft guidance are due by April 21, 2016.

The draft guidance emphasizes that manufacturers should proactively monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices. FDA defines "vulnerability" as a "weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat." The draft guidance defines "exploit" to mean "an instance where a vulnerability or vulnerabilities have been exercised (accidently or intentionally) and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system."

The draft guidance explains that for a small subset of cybersecurity vulnerabilities and exploits that may compromise "the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death," the FDA would require medical device manufacturers to notify the agency under 21 CFR 806.10. This section generally requires device manufacturers to notify FDA in writing within 10 working days of any correction (e.g., repair, modification, adjustment, relabeling) or removal of a device that was initiated to (1) reduce a risk to health posed by the device; or (2) remedy a legal/regulatory violation caused by the device that may present a risk to health. FDA's guidance defines "essential clinical performance" to mean "performance that is necessary to achieve freedom from unacceptable clinical risk[], as defined by the manufacturer." Thus, FDA explained that manufacturers should "define, as part of risk management, the essential clinical performance of their device, the resulting severity outcomes if compromised, and the risk acceptance criteria," taking into consideration the requirements necessary to achieve device safety and effectiveness.

Further, the guidance recommends that the process to assess the cybersecurity risk to a device's essential clinical performance should consider: (1) the exploitability of the cybersecurity vulnerability; and (2) the severity of the health impact to patients if the vulnerability were to be exploited. The guidance also recommends that manufacturers evaluate whether the risk to essential clinical performance of the device is controlled (acceptable) or uncontrolled (unacceptable). In one example, FDA explained that a manufacturer would be required to notify FDA under 21 CFR 806.10 under the following circumstances:

A manufacturer becomes aware of a vulnerability via a researcher that its Class III medical device (e.g., implantable defibrillator, pacemaker, etc.) can be reprogrammed by an unauthorized user. If exploited, the vulnerability could result in permanent impairment, a life-threatening injury, or death. The manufacturer is not aware that the vulnerability has been exploited and determines that the vulnerability is related to a hardcoded password, and cannot be mitigated by the device's design controls. The risk assessment concludes that the exploitability of the vulnerability is moderate and the risk to the device's essential clinical performance is uncontrolled. The manufacturer notifies appropriate stakeholders, and distributes a validated emergency patch.

A hospital reports that a patient was harmed after a medical device failed to perform as intended. A manufacturer investigation determines that the medical device malfunctioned as a result of exploitation of a previously unknown vulnerability in its proprietary software. The outcome of the manufacturer's investigation and impact assessment determines that the exploit indirectly impacts the device's essential clinical performance and may have contributed to a patient death. The manufacturer notifies the customer base and user community, and develops a validated emergency patch within 30 days of learning of the vulnerability. … Because there has been a serious adverse event or death associated with the vulnerability, the manufacturer files a report in accordance with 21 CFR 806.10 to notify FDA and complies with reporting requirements under 21 CFR part 803.

Conversely, for the majority of cases, FDA explains that actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered "cybersecurity routine updates or patches," for which the FDA does not require advance notification or reporting under 21 CFR part 806. The draft guidance defines "cybersecurity routine updates or patches" to mean:

updates or patches to a device to increase device security and/or remediate vulnerabilities associated with controlled risk and not to reduce a risk to health or correct a violation of the FD&C Act. They include any regularly scheduled security updates or patches to a device, including upgrades to the software, firmware, programmable logic, hardware, or security of a device to increase device security as well as updates or patches to address vulnerabilities associated with controlled risk performed earlier than their regularly scheduled deployment cycle even if they are distributed to multiple units. Cybersecurity routine updates and patches are generally considered to be a type of device enhancement that may be applied to vulnerabilities associated with controlled risk and is not considered a repair. Cybersecurity routine updates and patches may also include changes to product labeling, including the instructions for use, to strengthen cybersecurity through increased end-user education and use of best practices.

For example, FDA explained that a manufacturer would not be required to notify FDA under 21 CFR 806.10 under the following circumstances:

A device manufacturer receives a user complaint that a recent security software scan of the PC component of a Class III medical device has indicated that the PC is infected with malware. The outcome of a manufacturer investigation and impact assessment confirms the presence of malware and that the primary purpose of the malware is to collect internet browsing information. The manufacturer also determined that the malware has actively collected browsing information, but that the device’s essential clinical performance is not impacted by such collection. The manufacturer's risk assessment determines that the risk due to the vulnerability is controlled. Since essential clinical performance was not impacted, the manufacturer can update the product and it will be considered a cybersecurity routine update or patch. … Because the device is a Class III device, the manufacturer should report the changes to the FDA in its periodic (annual) report required for holders of an approved PMA under 21 CFR 814.84.

The draft guidance goes on to explain that it is essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with the Quality System Regulation (21 CFR part 820), including but not limited to complaint handling (21 CFR 820.198), quality audit (21 CFR 820.22), corrective and preventive action (21 CFR 820.100), software validation and risk analysis (21 CFR 820.30(g)) and servicing (21 CFR 820.200). The draft guidance explains that such programs should emphasize addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may impact patient safety. FDA recommends that critical components of such a program should include:

• monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
• understanding, assessing and detecting presence and impact of a vulnerability;
• establishing and communicating processes for vulnerability intake and handling;
• clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk
• adopting a coordinated vulnerability disclosure policy and practice; and
• deploying mitigations that address cybersecurity risk early and prior to exploitation.

FDA's new draft guidance outlines in greater detail each of the recommendations and considerations manufacturers should incorporate into their postmarket cybersecurity risk management programs.

The draft guidance comes roughly one month after FDA announced that it would be convening a workshop on device cybersecurity on January 20-21, 2016, for which FDA also released supporting materials.

The draft guidance also comes several months after FDA issued what appeared to be its first public Safety Communication about cybersecurity vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems. The Office of the Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS) also included in its 2016 Work Plan examining FDA's oversight of hospitals' networked medical devices and their cybersecurity.

Prior to this draft guidance, FDA issued guidance on the "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," which outlines when manufacturers should consider cybersecurity during the design phases of the medical device lifecycle. FDA's new draft postmarket guidance reiterates that manufacturers address cybersecurity "throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device." Further, FDA recognized that the issuance of its new draft guidance is consistent with Executive Order 13636 — Improving Critical Infrastructure Cybersecurity, issued by the President in February 2013, which emphasizes the need for stakeholders in the Healthcare and Public Health Critical Infrastructure Sector to enhance cybersecurity measures.

As we enter this new era of medical device cybersecurity, it will be incumbent upon medical device manufacturers and related stakeholders to assess FDA's recent guidance and begin evaluating necessary changes and enhancements.