On January 22nd, 2016, the Food and Drug Administration released a draft guidance document titled “Postmarket Management of Cybersecurity in Medical Devices”. (Food and Drug Administration). This important document addresses the need for security throughout the lifecycle of several medical devices. Improving medical device security is a subset of President Obama’s February 19th, 2013 Executive Order 13636 – “Improving Critical Infrastructure Cybersecurity”.
This timely document comes after several high profile hacks of medical devices including, but not limited to, drug infusion pumps. As this is a draft, the FDA is requesting comments and suggestions from professionals in the industry. Suggestions can be electronically submitted within 90 days to http://www.regulations.gov. This is a great opportunity to help shape an important initiative.
Let’s breakdown the highlights of the “Postmarket Management of Cybersecurity in Medical Devices” document.
- Connected Medical Device Security – Networked medical devices can be vulnerable to cybersecurity threats. We have seen an increase in vulnerabilities and malware affecting networked medical devices so it is great to see a focus on this within the document.
- Security Throughout Product Lifecycle - "Manufacturers are encouraged to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device." (Food and Drug Administration)
- Risk Analyses – “FDA recommends that manufacturers conduct cybersecurity risk analyses that include threat modeling for each of their devices and to update those analyses over time”
- Proactive Security – The FDA states that proactively analyzing security within medical devices increases patient safety and reduces risk to public health.
- No Need to Recertify – Some medical device manufactures have tried to avoid fixing security issues in their products because they have stated that doing so would require them to go through a lengthy recertification process with the FDA.
- Notification for Serious Vulnerabilities – The FDA must be notified if a discovered vulnerability would “present a reasonable probability of serious adverse health consequences or death” if exploited.
- Shared Responsibility of Cybersecurity - "Cybersecurity risk management is a shared responsibility among stakeholders including, the medical device manufacturer, the user, the Information Technology (IT) system integrator, Health IT developers, and an array of IT vendors that provide products that are not regulated by the FDA."
- Encourage NIST Cybersecurity Frameworks – The FDA encourages the adoption of the NIST “Framework for Improving Critical Infrastructure Cybersecurity” to help manufacturers manage cybersecurity risk throughout the life of the product.
- Timely Response – While the document does not give a specific timeframe for responding to a security issue, it does say that manufacturers should respond to security vulnerabilities in a “timely fashion”. Additionally, the document states that manufactures should deploy “mitigations that address cybersecurity risk early and prior to exploitation.”
- Vulnerability Disclosure – Manufactures should adopt a “coordinated vulnerability disclosure policy and practice" and provide information on work-arounds and temporary fixes to mitigate vulnerabilities.
Recertification Issue in Detail
The “No Need to Recertify” clause is especially important. Some medical device manufactures have tried to avoid fixing security issues in their products because they have stated that doing so would require them to go through a lengthy recertification process with the FDA. However, this has never been the case. The “Postmarket Management of Cybersecurity in Medical Devices” document reiterates the FDA’s previous comments on this topic that stated that an FDA review is necessary “when a change or modification could significantly affect the safety or effectiveness of the medical device. 21 CFR 807.81(a)(3), 814.39.” or if the proposed change “could significantly affect the safety or effectiveness of the medical device. (U.S. Department of Health and Human Services; Food and Drug Administration; Center for Devices and Radiological Health; Office of Compliance; Office of Device Evaluation)”
A penalty for not addressing security issues was never mentioned in the document. Many companies ignored the HIPAA compliance guidelines until noncompliant organizations started getting fined.
Food and Drug Administration. "FDA outlines cybersecurity recommendations for medical device manufacturers." 22 January 2016. U.S. Food and Drug Administration. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
U.S. Department of Health and Human Services; Food and Drug Administration; Center for Devices and Radiological Health; Office of Compliance; Office of Device Evaluation. "Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software." U.S. Food and Drug Administration. http://www.fda.gov/RegulatoryInformation/Guidances/ucm077812.htm