Meeting the Postmarket Challenge: FDA Offers Recommendations for Postmarket Medical Device Cybersecurity
From insulin pumps to pacemakers, implantable defibrillators to prosthetics, more and more medical devices are wireless, internet- or network-connected, or contain configurable embedded computer systems. These devices, like other “smart” products, are subject to cybersecurity vulnerabilities, threats, and exploits (see
Definitions section, following). The health care and public health critical infrastructure has been called "the largest attack surface for national security today."
As devices become smarter, cybersecurity must keep pace. Dr. Suzanne Schwartz, of FDA's Center for Devices and Radiological Health, recently noted that "… acceptance of this new reality has not come easy for stakeholders within the [medical device] sector. And it does require ultimately an attitudinal and culture shift. As challenging as it is to effect change in mindset and behavior, we all must come to terms with this being the new reality." Emerging concerns on health care and public health cybersecurity threat landscape include:
Health care is late to cybersecurity. While the financial and commercial sectors have a history in cybersecurity, health care is a more recent target. Because it has moved quickly into the crosshairs, health care must move quickly to keep pace.
Exponential growth in connectivity. As more devices are smarter, it is vital to keep up with controls and ahead of threats.
It's not all about manufacturers. Regulated devices are a smaller and smaller part of the overall medical device ecosystem. Device manufacturers can only do so much to affect the whole, even while they are affected by it.
Wide range of threat sources. From unintentional threats to advanced threat actors, perhaps the most concerning threat to health data comes from "hacktivists" whose motivations are not always entirely clear.
Monetization of health data for dollars and nation/state value. Advanced threat sources such as ransomware may become commonplace.
Fear of sharing. Hacked or breached entities may fear repercussions (further compromise, lawsuits, fines, investigations) if they share information about their compromise.
Inadequate or failed cybersecurity for any product can inconvenience the user and cause the manufacturer financial and reputational harm. Compromised cybersecurity in medical devices can threaten health and safety, compromise the confidentiality, integrity, and availability of critical medical data, and serve as an access point for entry into hospital and health care facility networks. With good reason, medical device cybersecurity is front and center with industry and FDA.
On January 22, 2016, FDA issued Postmarket Management of Cybersecurity in Medical Devices
, the latest in a series of FDA guidance documents and safety communications addressing cybersecurity throughout the medical device lifecycle.
While design controls incorporated into the product help alleviate risk, manufacturers must also consider improvements during postmarket device maintenance. The Guidance clarifies FDA’s postmarket recommendations, and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as a part of routine postmarket medical device management.
Several important principles underlie the Guidance:
Cybersecurity is a shared responsibility. Device manufacturers do not operate in a cyber bubble. FDA considers cybersecurity a “shared responsibility” among medical device stakeholders, including manufacturers, patients, providers, and health care facilities. Cybersecurity best practices for FDA-regulated entities necessarily include collaboration, both within the medical device community and among the larger group of stakeholders. Collaboration fosters a shared understanding of identified vulnerabilities, risk assessment and management, and pre-impact mitigation and remediation.
Cybersecurity is a lifetime commitment. Cyber threats are continually evolving, and premarket controls are insufficient to mitigate risk. A manufacturer’s cybersecurity risk management plan (RMP) should incorporate both premarket and postmarket phases. As FDA emphasizes, “[s]afeguarding the nation’s public health with respect to medical device cybersecurity requires attentiveness to the total product lifecycle, from design to obsolescence.”
Cybersecurity is proactive and risk-based. A proactive, risk-based approach to postmarket cybersecurity helps mitigate emerging risks and reduce patient impact. This includes sharing and monitoring information, engaging in routine device cyber maintenance, using a risk-based approach to characterizing vulnerabilities, and timely implementing necessary action.
FDA will incentivize manufacturers. The proposed regulatory policy incentivizes proactive behavior and good cyber hygiene.
While there is no “one-size-fits-all” approach to managing device cybersecurity – individual manufacturers will always experience unique vulnerabilities, threats, risk tolerance, and implementation standards – the Guidance will help device manufacturers evaluate critical risk management activities and prioritize investments to maximize patient safety.
Postmarket Cybersecurity Risk Management – Definitions and General Principles
The concepts of vulnerability, threat, and exploit underlie cybersecurity at all phases of the device lifecycle:
Vulnerability: "a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat."
Exploit: "an instance where a vulnerability or vulnerabilities have been exercised (accidentally or intentionally) and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system"
Threat: "any circumstance or event with the potential to adversely impact the essential clinical performance of the device, organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service …. Threats exercise vulnerabilities, which may impact the essential clinical performance of the device."
A cybersecurity RMP is the manufacturer’s “ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling those risks, and monitoring the effectiveness of the controls.” (Guidance, p. 13). The cybersecurity RMP should be consistent with the manufacturer’s FDA-mandated quality system for medical devices,
including complaint handling, quality audit, corrective and preventive action, and software validation and risk analysis.
Basic components of an effective cybersecurity RMP include:
Practicing good routine cyber hygiene. Although the Guidance does not define "cyber hygiene," H.R. 3664, Promoting Good Cyber Hygiene Act of 2015, provides a working definition: "processes, procedures, and mechanisms that help protect information systems and devices against cybersecurity threats, including … (1) unauthorized access; (2) alteration of information or code running or intended to be running on such systems or devices; and (3) unauthorized denials of service to authorized users of these systems or devices." The bill requires the National Institute of Standards and Technology (NIST) to establish for the federal government, the private sector, and any individual or organization a list of voluntary best practices for effective and usable cyber hygiene.
Performing appropriate software validation. FDA requires that each manufacturer of a class III, class II, or enumerated class I device "establish and maintain procedures to control the design of the device in order to ensure that specified design requirements are met." (21 CFR 820.30(a)(1)). This includes "design validation" to "ensure that devices conform to defined user needs and intended uses …." (21 CFR 820.30(g)). "Software validation," where appropriate, is a component of design validation. Id.
Properly documenting methods and controls used in the design, manufacture, packaging, labeling, storage, installation, and servicing of all finished devices, as required by current good manufacturing practice (CGMP) (21 CFR 820).
FDA recommends that device manufacturers apply NIST's voluntary 2014 Framework for Improving Critical Infrastructure Cybersecurity
when developing and implementing their cybersecurity RMPs. The NIST framework focuses on using business drivers to guide cybersecurity activities, and considering cybersecurity risks as part of the entity's overall risk management program. The framework is built around five concurrent and continuous functions that together provide a high-level, strategic view of how the organization manages cybersecurity risk.
RMP Function1 – Identify.
Identify: Define ECP; identify cybersecurity signals.
Protect/Detect: Characterize and assess vulnerabilities; perform risk analysis (including threat modeling); analyze threat sources; incorporate threat detection capabilities; assess the impact of a cybersecurity signal both horizontally and vertically.
Respond/Recover: Implement compensating controls, and mitigate residual risk to ECP.
FDA takes a "controlled vulnerabilities" approach to postmarket device cybersecurity. The goal of a cybersecurity RMP is to identify device vulnerabilities that threaten essential clinical performance (ECP), and manage risk to ECP to a controlled (acceptable) level.
“Essential clinical performance”
is the level of device performance necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. (Guidance p. 9). Defining ECP allows the manufacturer to evaluate potential impacts from the vulnerability, and determine whether a proposed mitigation will reasonably control risk to ECP.
Identifying cybersecurity vulnerabilities is a type of signal detection. A “cybersecurity signal”
is “any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device.” (Guidance p. 8). Manufactures should establish and implement a "clear, consistent, and reproducible process: to detect and address cybersecurity signals. Manufacturers should consider an array of internal and external information sources to inform cybersecurity signal detection, including internal investigations, postmarketing surveillance, complaints and adverse event reports, and external cyber-centric organizations.
FDA strongly encourages manufacturers to enhance signal detection capabilities by participating in a cybersecurity Information Sharing Analysis Organization (ISAO)
and by incorporating detection mechanisms into device design and features – i.e., to implement security by design.
RMP Functions 2 and 3: Protect and Detect.
FDA recommends that manufacturers conduct a cybersecurity risk analysis
for each device. The Guidance does not define "risk analysis," but the NIST definition can be adapted for this purpose: a cybersecurity risk analysis is the process of identifying, estimating, and prioritizing risks to ECP resulting from vulnerabilities."
Risk analysis is part of the manufacturer's cybersecurity RMP. It involves analyzing and characterizing vulnerabilities and threats, as well as assessing the impact of planned or future compensating controls and mitigations. 
FDA recommends that manufacturers use threat modeling
to inform their cybersecurity risk analysis. Threat modeling is a methodology for optimizing network, application, and internet security by identifying objectives and vulnerabilities, and defining countermeasures to prevent or mitigate the effects of threats. (Guidance p. 10). In the medical device context, manufacturers can use threat modeling to identify vulnerabilities to a particular product or product line, or from the organization’s supply chain, that could adversely affect patient safety.
Characterizing and assessing vulnerabilities
is a part of risk analysis and helps the manufacturer triage vulnerabilities for remediation. This involves evaluating exploitability and severity.
“Exploitability” is the ease with which a threat source or sources can exploit the vulnerability. Assessing exploitability involves identifying and analyzing the threat source itself. Threat sources may be adversarial (hostile cyber or physical attacks); accidental (human errors of omission or commission); structural (failures of organization-controlled resources, such as hardware, software, environmental controls); and environmental (natural and man-made disasters, accidents, and failures beyond the organization’s control). The manufacturer should consider as many credible information sources as possible to obtain information on threat sources. Characterizing the threat means attaching a value (e.g., very low → low → moderate → high → very high) to the capability and intent of adversarial threat sources, and the severity and range of effects for non-adversarial threat sources. The Guidance describes several ways to evaluate and qualify exploitability (e.g., low → medium → high).
“Severity” means the degree of health impacts that would result from the exploited vulnerability. The Guidance also describes ways to evaluate and qualify severity (e.g., on a on a negligible → minor → serious → critical → catastrophic scale).
Developing and validating meaningful tools for assessing vulnerabilities in the clinical environment is an area of focus for FDA going forward.
A "key purpose" of risk analysis is to evaluate residual risk
to ECP. Residual risk is the degree of risk an exploited vulnerability presents to ECP after taking into account existing device features and "compensating controls." Residual risk may be either controlled
(acceptable) or uncontrolled
Controlled risk is present when there is “sufficiently low (acceptable) residual risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability.” (Guidance p. 8).
Uncontrolled risk is present when there is “unacceptable residual risk that the device’s clinical performance could be compromised due to insufficient compensating controls and risk mitigations.” (Guidance p. 10).
FDA advises manufacturers to use "an established process that is tailored to the product, its essential clinical performance, and the situation" to determine whether residual risk is controlled or uncontrolled. (Guidance p. 15). One way to do this is to plot exploitability against severity, considering compensating controls. A "compensating control" is a “safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of [,] sufficient controls that were designed in by a device manufacturer, and that provides supplementary or comparable cyber protection for a medical device.” (Guidance pp. 7-8).
Using the recommended fact-specific analysis, a manufacturer might determine that a vulnerability at high risk for exploitation presents a controlled risk because resulting health impacts (with or without compensating controls) would be negligible. Conversely, the manufacture might determine that a vulnerability at low risk for exploitation presents and uncontrolled risk because resulting health impacts (with or without compensating controls) would be catastrophic.
FDA recommends that manufacturers incorporate threat detection capabilities
into medical devices – design features that establish or enhance the device's ability to "detect and produce forensically sound postmarket evidence capture in the event of an attack." (Guidance p. 24). This is superior to network monitoring alone and may help the manufacturer assess and remediate risk.
Manufacturers should strive for wide impact when expending resources on cybersecurity signal detection. FDA recommends that manufacturers comprehensively assess a signal's impact,
both horizontally (across all devices in the portfolio, including those in development, and those not yet cleared, approved, or marketed) and vertically (across all components within a device).
RMP Functions 4 and 5: Respond and Recover
While FDA recommends device-based features as the "primary" means of mitigating a vulnerability's impact on ECP, manufacturers should also assess and recommend additional compensating controls
(external to the device) to further mitigate impact. This includes developing, implementing, and notifying users of "official fixes, temporary fixes, and work-arounds." (Guidance p. 24). FDA also recommends a "coordinated vulnerability disclosure policy."
Remediating Controlled Risk to ECP
Good cyber hygiene and risk reduction are important even when residual risk is acceptable. Additionally:
Changes to a device made solely to strengthen cybersecurity are usually considered device enhancements (which may include cybersecurity routine updates and patches), and do not require reporting. Device manufacturers must report to FDA any correction or removal of a device initiated by the manufacturer to reduce risk to health posed by the device, or to remedy a violation of the FD&C Act caused by the device which may present a risk to health. (21 CFR 806.10(a)). However, the draft Guidance creates an exception to the reporting requirement for “cybersecurity routine updates and patches,” which are "updates or patches to a device to increase device security and/or remediate vulnerabilities associated with a controlled risk and not to reduce a risk to health or correct a violation of the FD&C Act." They include:
[A]ny regularly scheduled security updates or patches to a device, including upgrades to the firmware, firmware, programmable logic, hardware, or security of a device to increase device security as well as updates or patches to address vulnerabilities associated with controlled risk performed earlier than their regularly scheduled deployment cycle even if they are distributed to multiple units .... [They] may also include changes to product labeling, including the instructions for use, to strengthen cybersecurity through increased end-user education and use of best practices.
(Guidance p. 8). Note that FDA does not consider security updates made to "remediate vulnerabilities associated with a reasonable probability that use of, or exposure to, the product will cause serious adverse health consequences or death” to be cybersecurity routine updates or patches. Id
The Guidance provides examples of vulnerabilities associated with controlled risk, and their management, as well as recommended content to include in the periodic report.
Remediating Uncontrolled Risk to ECP
FDA recommends that manufacturers implement additional compensating controls or changes when a cybersecurity vulnerability presents an uncontrolled risk to ECP:
Implement remediation strategies to reduce risk to ECP to a controlled level.
Implement mitigations and compensating controls (such as work-arounds and temporary fixes) to adequately mitigate risk.
Report these vulnerabilities to FDA according to 21 CFR 806, “Medical Devices: Reports of Corrections and Removals” (unless reported under 21 CFR 803 (“Medical Device Reporting”) or 1004 (“Repurchase, Repairs, or Replacement of Electronic Products”).
However, FDA states it does not intend to enforce reporting requirements under 21 CFR 806 if all of the following are met
There are no known serious adverse events or deaths associated with the vulnerability;
Within 30 days of learning of the vulnerability, the manufacturer “identifies and implements changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users;” and
The manufacturer is a participating member of an ISAO, such as NH-ISAC.
Remediation of devices with annual reporting requirements should be included in the annual report.
Evaluate device changes to assess whether to submit a premarket submission (PMA supplement, 510(k), etc.).
Provide customers and users relevant information on recommended work-arounds, temporary fixes, and residual risks to enable them to take appropriate mitigation steps and make informed decisions.
For PMA devices with periodic reporting requirements under 21 CFR 814.84, report information on vulnerabilities, and implemented device changes and compensating controls, to FDA in a periodic report. Section VIII of the Guidance describes recommended content to include in PMA periodic reports. This includes a brief description of the vulnerability and how the manufacturer became aware of it, a summary of the manufacturer’s risk assessment, a description of the changes made, and the rationale for making the change.
(Guidance pp. 18-19).
If the manufacturer does not remediate uncontrolled risk to ECP, the device may violate the FD&C Act and be subject to enforcement. The Guidance provides examples of vulnerabilities associated with uncontrolled risk, and response/remediation actions.
Medical device cybersecurity is a growing concern. In FDA's announcement of the Guidance, Dr. Suzanne Schwartz with FDA's Center for Devices and Radiological Health stated: "The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices …. Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats."
The FDA encourages public comments on the draft Guidance, which will be open until April 21, 2016.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
Dr. Suzanne Swartz, Associate Director for Science and Strategic Partnerships, Acting Director Emergency Preparedness/Operations and Medical Countermeasures Program (EMCM), Center for Devices and Radiological Health (CDRH), Food and Drug Administration (FDA). Medical Device Cybersecurity: Year in Reflection and Looking Ahead.
Presentation at FDA's Moving Forward: Collaborative Approaches to Medical Device Cybersecurity
("Moving Forward") (Jan. 20, 2016) ("Schwartz Presentation").
These include FDA's Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
(draft issued June 14, 2013; final issued October 2, 2014). Key principles include cybersecurity as a shared responsibility among device stakeholders; the need to address cybersecurity during product design and development; and the need to establish design inputs for device cybersecurity, and establish a cybersecurity vulnerability and management approach, as part of software validation and risk analysis required by 21 CFR 820.30(g).
Workshop program book for “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity” (January 20-21, 2016), presented by FDA Center for Devices & Radiological Health, National Health Information Sharing Analysis Center (NH-ISAC), Department of Health and Human Services (HHS), and Department of Homeland Security (“Cybersecurity Workshop Book”), p. 3.
FDA requires manufacturers to establish and maintain an appropriate “quality system” for each medical device it designs or manufactures. (21 CFR 820.5). A quality system is the manufacturer’s structure, responsibilities, procedures, processes, and resources for ensuring that a device is fit for use. (21 CFR 820.3(s), (v)).
The bill was introduced on October 1, 2015, by Rep. Anna Eshoo (D-CA), and was referred to the House Committee on Science, Space, and Technology.
The purpose of ISAOs is to gather, analyze, and disseminate cyber threat information. Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing
(February 13, 2015), calls for the development of ISAOs to promote better cybersecurity information sharing between the private sector and government, and enhance collaboration and information sharing amongst the private sector. FDA considers participation in an ISAO a "critical component of a medical device manufacturer's comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices." (Guidance p. 7).
Risk Assessment Guide, p. 8 and Appendix D.
Risk Assessment Guide, p. 30.
Schwartz Presentation, January 20, 2016.
An example of a compensating control is an instruction to device users to reconfigure the hospital network to prevent unauthorized or unintended access to the device from the network (assuming the device can safety and effective operate without network access).
FDA recommends ISO/IEC 29147:2014, Information Technology – Security Techniques – Vulnerability Disclosure
as a resource.
For each of the nation’s "critical infrastructures," a designated private sector-led Information Sharing & Analysis Center (ISAC) is entrusted with advancing physical and cybersecurity protection by "establishing and maintaining collaborative frameworks for operational interaction between and among members and external partners." The National Health ISAC
(NH-ISAC) is the "tactical and operational arm advancing national healthcare and public health critical infrastructure resilience – all hazards (cyber and physical) security intelligence situational awareness analysis and reporting, secure trusted two-way information sharing, countermeasure solutions, incident response, leading practice and education."