By Christopher Hanson
On January 22, 2016, CDRH announced in the Federal Register the publication of the draft guidance,“Postmarket Management of Cybersecurity in Medical Devices.” The release of the draft guidance coincided with the conclusion of a two-day public workshop hosted by FDA entitled, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.” We previously discussed the Agency’s announcement of the workshop in a separate post.
This is the second significant cybersecurity guidance document CDRH has released, having finalized its “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance in October 2014. Having now issued both premarket and postmarket guidance documents, the Agency recognizes that an “effective cybersecurity risk management program should incorporate both premarket and postmarket lifecycle phases and address cybersecurity from medical device conception to obsolescence.”
Cybersecurity and Quality System Regulation
In the newly issued draft guidance, FDA is encouraging manufacturers to use and adopt the National Institute of Standards and Technology (“NIST”) voluntary framework, “Framework for Improving Critical Infrastructure Cybersecurity.” The Agency outlines the key framework elements in the Appendix of the draft guidance. Such a framework will help facilitate a manufacturer’s cybersecurity compliance with the medical device Quality System Regulation (21 C.F.R. part 820), including but not limited to complaint handling, quality audit, corrective and preventive action, software validation and risk analysis, and servicing.
Cybersecurity Risk Management
FDA recommends that manufacturers establish, document, and maintain a continuous process, like the NIST framework, for identifying hazards related to the cybersecurity of a medical device throughout the device’s lifecycle. This will involve the estimation and evaluation of risks, implementing appropriate controls, and monitoring the effectiveness of controls.
As part of cybersecurity risk management, FDA is encouraging manufacturers to define the “essential clinical performance” of their device, which is described as the “performance that is necessary to achieve freedom from unacceptable clinical risk.” When defining essential clinical performance, manufacturers are encouraged to consider: (1) the exploitability of the cybersecurity vulnerability, and (2) the severity of the health impact to patients if the vulnerability were to be exploited. The draft guidance provides examples of available tools and methods to assess the risk to a medical device’s essential clinical performance, including vulnerability scoring systems.
Ultimately, a manufacturer’s vulnerability assessment will help the company determine the extent of a risk to the essential clinical performance of a device. Compromises are classified as either “controlled” (acceptable residual risk) or “uncontrolled” (unacceptable residual risk). If the risk to essential clinical performance is ultimately assessed as “uncontrolled,” additional risk measures should be applied.
FDA considers voluntary participation in an Information Sharing Analysis Organization (“ISAO”) to be an important component of a medical device manufacturer’s “comprehensive proactive approach” to managing postmarket cybersecurity threats and vulnerabilities. FDA believes ISAO membership is a “significant step towards assuring the ongoing safety and effectiveness of marketed medical devices.” CDRH has entered into a Memorandum of Understanding with an ISAO, the National Health Information Sharing & Analysis Center (“NH-ISAC”), to promote the sharing of information about cybersecurity threats and vulnerabilities.
Reporting Cybersecurity Vulnerabilities and Exploits
FDA states that manufacturers should monitor, identify, and address “cybersecurity vulnerabilities and exploits” as part of their postmarket management of medical devices. FDA will consider the “majority” of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits to be “cybersecurity routine updates or patches,” that do not require reporting under 21 C.F.R. part 806 (“Reports of Corrections and Removals”). Cybersecurity vulnerabilities and exploits that “may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death” could require reporting under Part 806.
Interested parties have until April 21 to submit public comments to FDA’s docket. In the Federal Register announcement, CDRH specifically welcomed comments on the following particular topics:
- What factors contribute to a manufacturer’s decision whether or not to participate in an ISAO?
- In the draft guidance, the FDA is proposing its intention to not enforce certain regulatory requirements for manufacturers that are “participating members” of an ISAO. Should FDA define what it means to be a “participating member” of an ISAO and if so, how should such participation be verified?
- What are the characteristics (participation, expertise, policies, and practices) of an ISAO that would make it qualified to participate in the sharing and analysis of medical device cybersecurity vulnerabilities? What are the benefits and disadvantages of FDA “recognizing” specific ISAOs as possessing specialized expertise relevant to sharing and analysis of medical device vulnerabilities and what should such recognition entail?
- When cybersecurity vulnerability information is not reported to FDA, what information should be reported to the ISAO, and when?
- How should the FDA interact with ISAOs, manufacturers, healthcare delivery organizations (“HDOs”), security researchers, and other stakeholders to maximize the sharing of information concerning cybersecurity threats while maintaining confidentiality and protecting commercial confidential information?