Meeting the Postmarket Challenge: FDA Offers Recommendations for Postmarket Medical Device Cybersecu Meeting the Postmarket Challenge: FDA Offers Recommendations for Postmarket Medical Device Cybersecu

Meeting the Postmarket Challenge: FDA Offers Recommendations for Postmarket Medical Device Cybersecurity

On January 22, 2016, the U.S. Food and Drug Administration issued Postmarket Management of Cybersecurity in Medical Devices (Guidance), the latest in a series of FDA guidance documents and safety communications addressing cybersecurity throughout the medical device lifecycle.[1] From insulin pumps to pacemakers, implantable defibrillators to prosthetics, more and more medical devices are wireless, Internet- or network-connected, or contain configurable embedded computer systems.  While design controls incorporated into products can help alleviate risk, manufacturers must also consider improvements during postmarket device maintenance.  The Guidance clarifies FDA’s postmarket recommendations, and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as a part of routine postmarket medical device management.  
 
Background and Threat Environment
 
Wireless technology and software in medical devices can improve health care and increase access. However, these devices, like other "smart" products, are subject to cybersecurity vulnerabilities, threats, and exploits that can impact both safety and effectiveness.  The health care and public health critical infrastructure has been called "the largest attack surface for national security today."[2]
 
As devices become smarter, cybersecurity must keep pace.  Dr. Suzanne Schwartz, of FDA's Center for Devices and Radiological Health, recently noted that "… acceptance of this new reality has not come easy for stakeholders within the [medical device] sector.  And it does require ultimately an attitudinal and culture shift.  As challenging as it is to effect change in mindset and behavior, we all must come to terms with this being the new reality."  Emerging concerns on health care and public health cybersecurity threat landscape include:
 
  • Health care is late to cybersecurity.  While the financial and commercial sectors have a history in cybersecurity, health care is a more recent target.  Because it has moved quickly into the crosshairs, health care must move quickly to keep pace.
  • Exponential growth in connectivity.  As more devices are smarter, it is vital to keep up with controls and ahead of threats.
  • It's not all about manufacturers.  Regulated devices are a smaller and smaller part of the overall medical device ecosystem.  Device manufacturers can only do so much to affect the whole, even while they are affected by it.
  • Wide range of threat sources.  From unintentional threats to advanced threat actors, perhaps the most concerning threat to health data comes from "hacktivists" whose motivations are not always entirely clear. 
  • Monetization of health data for dollars and nation/state value.   Advanced threat sources such as ransomware may become commonplace.
  • Fear of sharing.  Hacked or breached entities may fear repercussions (further compromise, lawsuits, fines, investigations) if they share information about their compromise.
Inadequate or failed cybersecurity for any product can inconvenience the user and cause the manufacturer financial and reputational harm.  Compromised cybersecurity in medical devices can threaten health and safety, compromise the confidentiality, integrity, and availability of critical medical data, and serve as an access point for entry into hospital and health care facility networks.  With good reason, medical device cybersecurity is front and center with industry and FDA.
 
Neither manufacturers nor providers can completely eliminate cybersecurity threats. Rather, the goal must be to accurately and thoroughly assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of data, and implement security measures sufficient to reduce them to a reasonable and appropriate level.
 
FDA Guidance
 
FDA issued the Guidance to inform industry and FDA staff of the agency's recommendations for managing postmarket cybersecurity vulnerabilities in marketed medical devices. The Guidance includes a very specific disclaimer: "FDA's guidance documents, including this draft guidance, do not establish legally enforceable responsibilities. Instead, the guidance describe the Agency's current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited."[3] 
 
The Guidance applies to medical devices that contain software (including firmware) or programmable logic, as well as software that is a medical device. Commenters suggested FDA expand the Guidance to address:
 
  • Nonmedical IT (such as third party technology) interconnected with a medical device.
  • Connected devices intended for home use. The commenter notes: "Since home users will likely have medical device software installed on a mobile device, the guidance should address scenarios in which the mobile device's operating system has not been updated and therefore is vulnerable to cybersecurity threats and the agency's process for notification in the event of a recall of these devices."[4]
  • Mobile medical applications ("MMA"). The commenter notes "[i]t is unclear whether and how [the Guidance] would apply to MMAs given that the FDA is currently exercising 'enforcement discretion' with MMA. An MMA would presumably not fall under this guidance which could be problematic. For example, an MMA could be an entry point into an entire hospital system for ransomware or some other cyber threat."[5]
  • Legacy products.[6]
  • Low- and moderate-risk medical devices of minor or moderate software level of concerns.[7]
  • Multiple interconnected devices used on different types of platforms in both an open and closed ecosystem.[8]
Several important principles underlie FDA's recommendations:
 
  • Cybersecurity is a shared responsibility.  Device manufacturers do not operate in a cyber bubble.  FDA considers cybersecurity a "shared responsibility" among medical device stakeholders, including manufacturers, patients, providers, and health care facilities.  Cybersecurity best practices for FDA-regulated entities necessarily include collaboration, both within the medical device community and among the larger group of stakeholders.  Collaboration fosters a shared understanding of identified vulnerabilities, risk assessment and management, and pre-impact mitigation and remediation.
  • Cybersecurity is a lifetime commitment.  Cyber threats are continually evolving, and premarket controls are insufficient to mitigate risk.  A manufacturer’s cybersecurity risk management plan ("RMP") should incorporate both premarket and postmarket phases.  As FDA emphasizes, "[s]afeguarding the nation’s public health with respect to medical device cybersecurity requires attentiveness to the total product lifecycle, from design to obsolescence."[9]
  • Cybersecurity is proactive and risk-based.  A proactive, risk-based approach to postmarket cybersecurity helps mitigate emerging risks and reduce patient impact.  This includes sharing and monitoring information, engaging in routine device cyber maintenance, using a risk-based approach to characterizing vulnerabilities, and timely implementing necessary action.
  • FDA will incentivize manufacturers.  The proposed regulatory policy incentivizes proactive behavior and good cyber hygiene.
While there is no "one-size-fits-all" approach to managing device cybersecurity – individual manufacturers will always experience unique vulnerabilities, threats, risk tolerance, and implementation standards – the Guidance will help device manufacturers evaluate critical risk management activities and prioritize investments to maximize patient safety.
 
Postmarket Cybersecurity Risk Management – Definitions and General Principles
 
The concepts of vulnerability, threat, and exploit underlie cybersecurity at all phases of the device lifecycle:
 
  • Vulnerability:  "a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat."
  • Exploit:  "an instance where a vulnerability or vulnerabilities have been exercised (accidentally or intentionally) and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system"
  • Threat:  "any circumstance or event with the potential to adversely impact the essential clinical performance of the device, organizational operations (including mission, functions, image, or reputation), organizational assets,  individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service …. Threats exercise vulnerabilities, which may impact the essential clinical performance of the device."
A cybersecurity RMP is the manufacturer’s "ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling those risks, and monitoring the effectiveness of the controls."  (Guidance, p. 13).  The cybersecurity RMP should be consistent with the manufacturer’s FDA-mandated quality system for medical devices,[10] including complaint handling, quality audit, corrective and preventive action, and software validation and risk analysis. 
 
Basic components of an effective cybersecurity RMP include:
 
  • Practicing good routine cyber hygiene.  Although the Guidance does not define "cyber hygiene," H.R. 3664, Promoting Good Cyber Hygiene Act of 2015,[11] provides a working definition:  "processes, procedures, and mechanisms that help protect information systems and devices against cybersecurity threats, including … (1) unauthorized access; (2) alteration of information or code running or intended to be running on such systems or devices; and (3) unauthorized denials of service to authorized users of these systems or devices."  The bill requires the National Institute of Standards and Technology (NIST) to establish for the federal government, the private sector, and any individual or organization a list of voluntary best practices for effective and usable cyber hygiene.
  • Performing appropriate software validation.  FDA requires that each manufacturer of a class III, class II, or enumerated class I device "establish and maintain procedures to control the design of the device in order to ensure that specified design requirements are met."  (21 CFR 820.30(a)(1)).  This includes "design validation" to "ensure that devices conform to defined user needs and intended uses …."  (21 CFR 820.30(g)).  "Software validation," where appropriate, is a component of design validation.  Id.
  • Properly documenting methods and controls used in the design, manufacture, packaging, labeling, storage, installation, and servicing of all finished devices, as required by current good manufacturing practice (CGMP) (21 CFR 820).
FDA recommends that device manufacturers apply NIST's voluntary 2014 Framework for Improving Critical Infrastructure Cybersecurity when developing and implementing their cybersecurity RMPs.  The NIST framework focuses on using business drivers to guide cybersecurity activities, and considering cybersecurity risks as part of the entity's overall risk management program.  The framework is built around five concurrent and continuous functions that together provide a high-level, strategic view of how the organization manages cybersecurity risk. 
 
  • Identify:  Define ECP; identify cybersecurity signals. 
  • Protect/Detect:  Characterize and assess vulnerabilities; perform risk analysis (including threat modeling); analyze threat sources; incorporate threat detection capabilities; assess the impact of a cybersecurity signal both horizontally and vertically.
  • Respond/Recover:  Implement compensating controls, and mitigate residual risk to ECP.
However, the NIST framework is designed for critical infrastructure generally, and is not specifically tailored for medical device manufacturers. Although MDMs share many cybersecurity concerns with other business sectors, they also face unique challenges that the NIST framework may not adequately address. Public comments on the Guidance suggest that FDA also consider "the significance of universally-recognized approaches to risk management that are tailored to medical devices," such as those found in ISO 14971 (Medical devices – Application of risk management to medical devices), ISO/TR 80001 ("Application of risk management for IT networks incorporating medical devices), and AAMI TIR57 (Principles for medical device security – Risk management).[12]

RMP Function 1 – Identify.
 
Managing cybersecurity risk begins with identifying cybersecurity signals. A "cybersecurity signal" is "any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device." (Guidance, p. 8). A potential or identified vulnerability is not, in itself, a cybersecurity signal. Rather, a signal arises from the effect of a vulnerability upon device performance. FDA takes a "controlled vulnerabilities" approach, with the twin goals of identifying vulnerabilities that threaten "essential clinical performance" (ECP),[13] and managing the resulting risk to a controlled, acceptable level.
 
"Essential clinical performance" is the level of device performance necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. (Guidance, p. 9). Defining ECP allows the manufacturer to evaluate potential impacts from a vulnerability, and determine whether a proposed mitigation strategy will appropriately control risk.
 
Essential clinical performance is both a new concept (it is not included in any previous FDA guidance), and a controversial one:
 
  • There are no established standards for determining ECP, and it may be hard to define in complex environments.[14] Using ECP as the basis for cybersecurity signal detection may thus have unintended consequences, such as over-reporting. One commenter suggests FDA clarify that ECP is "tied to safety and effectiveness of the device when it is used as intended, based on the claimed intended use and indications for use statement of the manufacturer."[15]
  • The term may introduce "unnecessary complexity" into the device lifecycle, because "decisions around the level of clinical performance necessary to achieve freedom from unacceptable clinical risk [are] defined in the concept/design/premarket phase of the [device] lifecycle."[16]
  • The concept may be overly broad to the extent it encompasses more than pure clinical risk. One commenter suggests FDA amend the definition to state: "essential performance means performance necessary to achieve freedom from unacceptable clinical (not confidentiality) risk …. This 'essential performance' concept is similar to IEC 60601-1, but with a sole focus on clinical risk."[17] The revised definition "would embrace familiar terminology, explain its origin and tailored meaning, and clarify that clinical risk (not confidentiality) is the primary postmarket focus."[18]
Cybersecurity signals can arise from "traditional information sources" such as internal investigations, postmarket surveillance, or complaints, as well as "security-centric"[19] sources including Computer Emergency Readiness Teams ("CERT"),[20] Information Sharing Analysis Organizations ("ISAO"), [21] and security researchers. Manufactures should establish and implement a "clear, consistent and reproducible process" to detect and address cybersecurity signals.  Manufacturers should consider an array of internal and external information sources to inform cybersecurity signal detection, including internal investigations, postmarket surveillance, complaints and adverse event reports, and external cyber-centric organizations. 
 
One commenter notes that health delivery organizations "struggle with cybersecurity because medical devices are known to malfunction or reboot when simply scanned for vulnerabilities."[22] To help minimize clinical disruptions, the commenter recommends that the Guidance state: "Manufacturers should explicitly label their networkable medical devices as 'safe to vulnerability scan' or 'secondary compensating controls needed to safely scan' so that [health delivery organizations] can safely scan for vulnerabilities without disrupting clinical workflow as part of continuous risk-assessment processes."[23]
 
FDA strongly encourages manufacturers to enhance signal detection capabilities by participating in a cybersecurity ISAO, and by incorporating detection mechanisms into device design and features – i.e., to implement security by design. 
 
RMP Functions 2 and 3:  Protect and Detect.
 
FDA recommends that manufacturers conduct a cybersecurity risk analysis for each device.  The Guidance does not define "risk analysis," but the NIST definition can be adapted for this purpose:  a cybersecurity risk analysis is the process of identifying, estimating, and prioritizing risks to ECP resulting from vulnerabilities."[24]  Risk analysis is part of the manufacturer's cybersecurity RMP.  It involves analyzing and characterizing vulnerabilities and threats, as well as assessing the impact of planned or future compensating controls and mitigations. [25]
 
FDA recommends that manufacturers use threat modeling to inform their cybersecurity risk analysis.  Threat modeling is a methodology for optimizing network, application, and Internet security by identifying objectives and vulnerabilities, and defining countermeasures to prevent or mitigate the effects of threats.  (Guidance, p. 10).  In the medical device context, manufacturers can use threat modeling to identify vulnerabilities to a particular product or product line, or from the organization’s supply chain, that could adversely affect patient safety.
 
Characterizing and assessing vulnerabilities is a part of risk analysis and helps the manufacturer triage vulnerabilities for remediation.  This involves evaluating exploitability and severity.
 
  • "Exploitability" is the ease with which a threat source or sources can exploit the vulnerability.  Assessing exploitability involves identifying and analyzing the threat source itself.  Threat sources may be adversarial (hostile cyber or physical attacks); accidental (human errors of omission or commission); structural (failures of organization-controlled resources, such as hardware, software, environmental controls); and environmental (natural and man-made disasters, accidents, and failures beyond the organization’s control).[26]  The manufacturer should consider as many credible information sources as possible to obtain information on threat sources.  Characterizing the threat means attaching a value (e.g., very low → low → moderate → high → very high) to the capability and intent of adversarial threat sources, and the severity and range of effects for non-adversarial threat sources.[27]  The Guidance describes several ways to evaluate and qualify exploitability (e.g., low → medium → high).
  • "Severity" means the degree of health impacts that would result from the exploited vulnerability.  The Guidance also describes ways to evaluate and qualify severity (e.g., on a on a negligible → minor → serious → critical → catastrophic scale).
Developing and validating meaningful tools for assessing vulnerabilities in the clinical environment is an area of focus for FDA going forward.[28]
 
A "key purpose" of risk analysis is to evaluate residual risk to ECP.  Residual risk is the degree of risk an exploited vulnerability presents to ECP after taking into account existing device features and "compensating controls."  Residual risk may be either controlled (acceptable) or uncontrolled (unacceptable). 
 
  • Controlled risk is present when there is "sufficiently low (acceptable) residual risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability."  (Guidance, p. 8).
  • Uncontrolled risk is present when there is "unacceptable residual risk that the device’s clinical performance could be compromised due to insufficient compensating controls and risk mitigations."  (Guidance, p. 10).
FDA advises manufacturers to use "an established process that is tailored to the product, its essential clinical performance, and the situation" to determine whether residual risk is controlled or uncontrolled.  (Guidance, p. 15).  One way to do this is to plot exploitability against severity, considering compensating controls.  A "compensating control" is a "safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of [,] sufficient controls that were designed in by a device manufacturer, and that provides supplementary or comparable cyber protection for a medical device."  (Guidance, pp. 7-8).[29]  Using the recommended fact-specific analysis, a manufacturer might determine that a vulnerability at high risk for exploitation presents a controlled risk because resulting health impacts (with or without compensating controls) would be negligible.  Conversely, the manufacture might determine that a vulnerability at low risk for exploitation presents and uncontrolled risk because resulting health impacts (with or without compensating controls) would be catastrophic.
 
FDA recommends that manufacturers incorporate threat detection capabilities into medical devices – design features that establish or enhance the device's ability to "detect and produce forensically sound postmarket evidence capture in the event of an attack."  (Guidance p. 24).  This is superior to network monitoring alone and may help the manufacturer assess and remediate risk.
 
Manufacturers should strive for wide impact when expending resources on cybersecurity signal detection.  FDA recommends that manufacturers comprehensively assess a signal's impact, both horizontally (across all devices in the portfolio, including those in development, and those not yet cleared, approved, or marketed) and vertically (across all components within a device). 
 
RMP Functions 4 and 5:  Respond and Recover
 
While FDA recommends device-based features as the "primary" means of mitigating a vulnerability's impact on ECP, manufacturers should also assess and recommend additional compensating controls (external to the device) to further mitigate impact.  This includes developing, implementing, and notifying users of "official fixes, temporary fixes, and work-arounds."  (Guidance p. 24).  FDA also recommends a "coordinated vulnerability disclosure policy."[30]
 
Remediating Controlled Risk to ECP
 
Good cyber hygiene and risk reduction are important even when residual risk is acceptable.  Additionally:
 
  • Changes to a device made solely to strengthen cybersecurity are usually considered device enhancements (which may include cybersecurity routine updates and patches), and do not require reporting.  Device manufacturers must report to FDA any correction or removal of a device initiated by the manufacturer to reduce risk to health posed by the device, or to remedy a violation of the FD&C Act caused by the device which may present a risk to health.  (21 CFR 806.10(a)).  However, the draft Guidance creates an exception to the reporting requirement for "cybersecurity routine updates and patches," which are "updates or patches to a device to increase device security and/or remediate vulnerabilities associated with a controlled risk and not to reduce a risk to health or correct a violation of the FD&C Act."  They include:
[A]ny regularly scheduled security updates or patches to a device, including upgrades to the firmware, firmware, programmable logic, hardware, or security of a device to increase device security as well as updates or patches to address vulnerabilities associated with controlled risk performed earlier than their regularly scheduled deployment cycle even if they are distributed to multiple units .... [They] may also include changes to product labeling, including the instructions for use, to strengthen cybersecurity through increased end-user education and use of best practices.
 
(Guidance, p. 8).  Note that FDA does not consider security updates made to "remediate vulnerabilities associated with a reasonable probability that use of, or exposure to, the product will cause serious adverse health consequences or death" to be cybersecurity routine updates or patches.  Id

The Guidance provides examples of vulnerabilities associated with controlled risk, and their management, as well as recommended content to include in the periodic report.
 
Remediating Uncontrolled Risk to ECP
 
FDA recommends that manufacturers implement additional compensating controls or changes when a cybersecurity vulnerability presents an uncontrolled risk to ECP:
 
  • Implement remediation strategies to reduce risk to ECP to a controlled level. Remediation is "any action(s) taken to reduce the risk to the medical device's essential clinical performance to an acceptable level." (Guidance, p. 9) One commenter suggests that if FDA retains the concept of ECP, it should modify the definition of remediation to include "any action taken to reduce an identified risk to the medical device's essential clinical performance to an acceptable level."[31]
  • Implement mitigations and compensating controls (such as work-arounds and temporary fixes) to adequately mitigate risk.
  • Report these vulnerabilities to FDA according to 21 CFR 806, "Medical Devices: Reports of Corrections and Removals" (unless reported under 21 CFR 803 ("Medical Device Reporting") or 1004 ("Repurchase, Repairs, or Replacement of Electronic Products"). 
However, FDA states it does not intend to enforce reporting requirements under 21 CFR 806 if all of the following are met:
 
  • There are no known serious adverse events or deaths associated with the vulnerability;
  • Within 30 days of learning of the "vulnerability," the manufacturer "identifies and implements changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users;"[32] and
  • The manufacturer is a participating member of an ISAO, such as NH-ISAC.[33]
  • Remediation of devices with annual reporting requirements should be included in the annual report.
  • Evaluate device changes to assess whether to submit a premarket submission (PMA supplement, 510(k), etc.).
  • Provide customers and users relevant information on recommended work-arounds, temporary fixes, and residual risks to enable them to take appropriate mitigation steps and make informed decisions.
  • For PMA devices with periodic reporting requirements under 21 CFR 814.84, report information on vulnerabilities, and implemented device changes and compensating controls, to FDA in a periodic report.  Section VIII of the Guidance describes recommended content to include in PMA periodic reports.  This includes a brief description of the vulnerability and how the manufacturer became aware of it, a summary of the manufacturer’s risk assessment, a description of the changes made, and the rationale for making the change.
(Guidance, pp. 18-19).
 
If the manufacturer does not remediate uncontrolled risk to ECP, the device may violate the FD&C Act and be subject to enforcement.  The Guidance provides examples of vulnerabilities associated with uncontrolled risk, and response/remediation actions.
 
Finally, manufacturers may not have designed or intended certain "legacy" or other devices for network integration. End users who nonetheless integrate these devices may create unintended risks and vulnerabilities. The Guidance is silent on manufacturers’ postmarket reporting obligations under these circumstances.[34]
 
One commenter suggests that FDA "align post-market management of cybersecurity with existing quality system requirements in 21 CFR Part 820. This will incorporate a risk-based approach in the context of the product's intended use."[35] The commenter urges FDA to "rely upon existing standards applicable to quality systems and avoid developing and implementing parallel paths for managing post-market cybersecurity risk."[36]
 
Conclusion
 
Medical device cybersecurity is a growing concern.  In FDA's announcement of the Guidance, Dr. Suzanne Schwartz with FDA's Center for Devices and Radiological Health stated:  "The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices …. Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats." As the Guidance makes clear, device cybersecurity is a lifecycle concern that extends into the postmarket phase, and medical device manufacturers play a critical role in safeguarding the confidentiality, integrity, and availability of device data.

For more information on the Internet of Things and its impact on health care, contact Kimberly Metzger or a member of our Internet of Things practice.


[1] These include FDA's Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (draft issued June 14, 2013; final issued October 2, 2014).  Key principles include cybersecurity as a shared responsibility among device stakeholders; the need to address cybersecurity during product design and development; and the need to establish design inputs for device cybersecurity, and establish a cybersecurity vulnerability and management approach, as part of software validation and risk analysis required by 21 CFR 820.30(g).
[2] Dr. Suzanne Swartz, Associate Director for Science and Strategic Partnerships, Acting Director Emergency Preparedness/Operations and Medical Countermeasures Program (EMCM), Center for Devices and Radiological Health (CDRH), Food and Drug Administration (FDA).  Medical Device Cybersecurity: Year in Reflection and Looking Ahead.  Presentation at FDA's Moving Forward:  Collaborative Approaches to Medical Device Cybersecurity ("Moving Forward") (Jan. 20, 2016) ("Schwartz Presentation").
[3] One commenter recommends "additional clarity in the document that its recommendations should not form the basis of a citable event during an inspection. (Comments of Abbott Laboratories, April 21, 2016). See also Comments of Advanced Medical Technology Association (AdvaMed), April 21, 2016.
[4] Comments of Sanofi, April 21, 2016.
[5] Comments of the 510(k) Coalition, April 21, 2016.
[6] Id.
[7] Comments of the Novartis Group Companies, April 21, 2016.
[8] Id.
[9]  Workshop program book for "Moving Forward:  Collaborative Approaches to Medical Device Cybersecurity" (January 20-21, 2016), presented by FDA Center for Devices & Radiological Health, National Health Information Sharing Analysis Center (NH-ISAC), Department of Health and Human Services (HHS), and Department of Homeland Security ("Cybersecurity Workshop Book"), p. 3.
[10] FDA requires manufacturers to establish and maintain an appropriate "quality system" for each medical device it designs or manufactures.  (21 CFR 820.5).  A quality system is the manufacturer’s structure, responsibilities, procedures, processes, and resources for ensuring that a device is fit for use.  (21 CFR 820.3(s), (v)). 
[11] The bill was introduced on October 1, 2015, by Rep. Anna Eshoo (D-CA), and was referred to the House Committee on Science, Space, and Technology.
[12] Comments of the Medical Device Privacy Consortium, April 21, 2016.
[13] The Guidance suggests that "[v]ulnerabilities that do not appear to currently impact essential clinical performance should be assessed by the manufacturer for future impact." (Guidance, p. 12). However, FDA does not suggest a standard for assessing "future impact."
[14] Commenter the 510(k) Coalition gives examples of complex situations: "an in vitro diagnostic analyzer that may run 300 or 400 different assays" or "a device with multiple intended uses."
[15] Id.
[16] Comments of ACT|The App Association, April 21, 2016. Another commenter echoes this sentiment: "we support elimination of the concept of 'essential clinical performance' from the guidance, and instead recommend focus on maintaining device functionality and safety, as described in the premarket cybersecurity guidance." (Comments of Abbott Laboratories, April 21, 2016).
[17] Comments of St. Jude Medical, April 21, 2016.
[18] Id.
[19] One public commenter suggests that the Guidance include "signals originating from third party suppliers of hardware or software technology, as well as non-security-centric researchers." Therefore, this commenter suggests the following change: "A cybersecurity signal could originate from traditional information sources such as internal investigations, postmarket surveillance, or complaints, security-centric sources such as CERTS …, ISAOs and security researchers, suppliers of software and hardware technology, and/or other researchers and professionals." Id. n.7.
[20] CERTs are expert groups that address cybersecurity incidents. The term originated with the United States Computer Emergency Readiness Team (US-CERT), and has been appropriated by various incident response teams, alternatively called Computer Security Incident Response Teams (CSIRT).
[21] The purpose of ISAOs is to gather, analyze, and disseminate cyber threat information.  Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing (February 13, 2015), calls for the development of ISAOs to promote better cybersecurity information sharing between the private sector and government, and enhance collaboration and information sharing amongst the private sector.  FDA considers participation in an ISAO a "critical component of a medical device manufacturer's comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices."  (Guidance, p. 7).
[22] Comments of Virta Laboratories, Inc. (undated).
[23] Id.
[24] See NIST Special Publication 800-30, r.1 Guide for Conducting Risk Assessments (September 2012) ("Risk Assessment Guide"), p. B-9.
[25] Id.
[26] Risk Assessment Guide, p. 8 and Appendix D.
[27] Risk Assessment Guide, p. 30.
[28] Schwartz Presentation, January 20, 2016.
[29] An example of a compensating control is an instruction to device users to reconfigure the hospital network to prevent unauthorized or unintended access to the device from the network (assuming the device can safety and effective operate without network access). 
[30] FDA recommends ISO/IEC 29147:2014, Information Technology – Security Techniques – Vulnerability Disclosure as a resource.
[31] Comments of the 510(k) Coalition, April 21, 2016.
[32] One commenter suggests this condition be changed to: "Within 30 days of identifying an uncontrolled risk, the manufacturer identifies, develops, and begins distribution of device changes and            /or compensating controls to bring the residual risk to an acceptable level …." (Comments of St. Jude Medical, April 21, 2016). According to the commenter, this change will allow the manufacturer to "focus remediation efforts on vulnerabilities that have been objectively identified as having a true impact versus a perceived vulnerability or claim of a vulnerability." Id. It will also "allow full device fleet changes (especially for offline or intermittently connected products) to be completed and implemented outside the required timeframe." Id. The commenter also emphasizes  that the Guidance must "factor in the scenario where the manufacturer may not be in control of the implementation of the patch provided …." Id. Finally, the commenter notes that while uncontrolled cybersecurity risks should be remediated as soon as possible, the allowable timeframe must also encompass achieving safety, clinical effectiveness, and customer/patent communication objectives. Id. Type of risk, severity of risk, complexity of issue, and legacy device are additional factors to consider in determining the appropriate timeframe for remediation. (Comments of Abbott Laboratories, April 21, 2016).
[33] For each of the nation’s "critical infrastructures," a designated private sector-led Information Sharing & Analysis Center (ISAC) is entrusted with advancing physical and cybersecurity protection by "establishing and maintaining collaborative frameworks for operational interaction between and among members and external partners."  The National Health ISAC (NH-ISAC) is the "tactical and operational arm advancing national healthcare and public health critical infrastructure resilience – all hazards (cyber and physical) security intelligence situational awareness analysis and reporting, secure trusted two-way information sharing, countermeasure solutions, incident response, leading practice and education."
[34] Id. n.7.
[35] Comments of the 510(k) Coalition, April 21, 2016. See also Comments of Advanced Medical Technology Association (AdvaMed), April 21, 2016.
[36] Id.

View Full Site View Mobile Optimized