Meeting the Postmarket Challenge II: FDA Releases Final Guidance for Medical Device Cybersecurity Ma Meeting the Postmarket Challenge II: FDA Releases Final Guidance for Medical Device Cybersecurity Ma

Meeting the Postmarket Challenge II: FDA Releases Final Guidance for Medical Device Cybersecurity Management

This article is part of Ice Miller’s Smart Health Care Guide. In this guide, your team will have opportunities to explore best practices, consider the regulatory environment, and learn of potential business and legal risks related to the IoT in the health care industry. Click here to learn more.

From insulin pumps to pacemakers, implantable defibrillators to prosthetics, more and more medical devices are wireless, Internet- or network-connected, or contain configurable embedded computer systems. While smart medical devices offer tremendous lifestyle and patient-care advantages, they are subject to unique cybersecurity threats and vulnerabilities, and resulting risk of patient harm. Dr. Suzanne B. Schwartz, Deputy Director of the U.S. Food and Drug Administration (FDA), emphasizes that cybersecurity threats are "real, ever- present, and continuously changing," and that "constant" attempts to infiltrate and attack hospital networks threaten patient safety.

To appropriately manage risk of patient harm, device manufacturers must identify, evaluate, and mitigate threats and vulnerabilities throughout the product lifecycle, from design to development and beyond into the marketplace. Premarket (designed-in) cybersecurity controls go only so far. Because the threat landscape is constantly evolving, device manufacturers need a robust postmarket cybersecurity risk management program that extends to device maintenance.

Risk mitigation may involve making changes to marketed and distributed medical devices. Manufacturers must report to FDA, within 10 days of initiation, any device "correction or removal"[1] implemented to reduce a risk to health, or to remedy a violation of the Federal Food, Drug, and Cosmetic Act (Act) which may present a risk to health.[2] However, some postmarket device changes are not corrections or removals, and are not subject to the 10-day reporting requirement. The difference is not always clear.

On December 28, 2016, FDA released final guidance entitled Postmarket Management of Cybersecurity in Medical Devices (Guidance), following the January 2016 draft guidance and public comment period.[3] The Guidance clarifies FDA’s recommendations to industry for managing postmarket cybersecurity vulnerabilities, and this should be an established part of the manufacturer’s overall device management strategy. The Guidance also establishes a risk-based framework for determining when a manufacturer must report postmarket, vulnerability-based device changes to FDA, and outlines circumstances under which FDA “does not intend” to enforce reporting requirements under 21 CFR part 806 (i.e., an informal reporting safe harbor).

The Guidance is built on the core principles of threat, vulnerability, and risk of patient harm.
  • A threat is a circumstance or event that works through an information system to cause adverse impacts to the device, individuals, the manufacturer’s organizational operations or assets, and/or other organizations. It may accomplish these impacts through unauthorized access to – or destruction, disclosure, or modification of – information, and/or through denial of access. Threats exercise device vulnerabilities, which may impact device safety or essential performance.[4]
  • A vulnerability is a weakness (in an information system, system security procedures, internal controls, human behavior, or implementation) that a threat can exploit.[5]
  • Risk results when a cybersecurity threat exercises a device vulnerability.[6] Risk is typically expressed as a function of the likelihood that the threat will exercise the vulnerability, and the severity of the resulting impact. When exercised vulnerabilities impact device safety or critical performance, patient harm may result. The Guidance focuses on whether the risk of patient harm is sufficiently controlled. The Guidance defines “patient harm” to include only physical injury or damage to health. Non-physical harm, such as loss of confidential medical data, is not “patient harm” in this context.

The Guidance applies to:
  • All marketed and distributed medical devices, including both devices that contain software or programmable logic, and devices that are software (such as mobile medical applications);
  • Medical devices that are part of an interoperable system; and
  • “Legacy devices” (devices that are already on the market or in use).
It does not apply to investigational devices.

On January 12, 2017, FDA hosted a webinar addressing the Guidance. It is clear from the webinar that industry should distill two “bottom line up front” recommendations from the Guidance:

1. Implement a "proactive, comprehensive risk management program” with the following characteristics:
  • Applies the National Institute of Standards and Technology (NIST) Framework to Strengthen Critical Infrastructure Cybersecurity ("NIST Framework");
  • Establishes and communicates a processes for vulnerability intake and handling;
  • Adopts a coordinated vulnerability disclosure policy and practice; and
  • Deploys mitigations to address risk of harm early, before cybersecurity threats exploit device vulnerabilities; and
2. Engage in collaborative information-sharing for cybersecurity threats and device vulnerabilities. 

Wireless technology and software in medical devices can improve health care and increase access. However, connected medical devices – like all other computer systems – incorporate software that is vulnerable to threats. The health care and public health critical infrastructure has been called "the largest attack surface for national security today."[7] Intrusions and breaches occur through weaknesses in the system architecture (i.e., vulnerabilities). When vulnerabilities are not addressed and remediated, they can serve as access points for entry into hospital and health care facility networks, which in turn may lead to compromised confidentiality, integrity, and availability of critical health data.

As devices become smarter, cybersecurity must keep pace. As Dr. Schwartz emphasizes, "acceptance of this new reality has not come easy for stakeholders within the [medical device] sector. And it does require ultimately an attitudinal and culture shift. As challenging as it is to effect change in mindset and behavior, we all must come to terms with this being the new reality." Emerging concerns on health care and public health cybersecurity threat landscape include:
  • Health care is late to cybersecurity. While the financial and commercial sectors have a history in cybersecurity, health care is a more recent target. Because it has moved quickly into the crosshairs, health care must be nimble in order to keep pace.
  • Exponential growth in connectivity. As more devices are smarter, it is vital to keep up with controls and ahead of threats.
  • It's not all about manufacturers. Regulated devices are a smaller and smaller part of the overall medical device ecosystem. Device manufacturers can only do so much to affect the whole, even while they are affected by it.
  • Wide range of threat sources. From unintentional threats to advanced threat actors, perhaps the most concerning threat to health data comes from "hacktivists" whose motivations are not always entirely clear.
  • Monetization of health data for dollars and nation/state value. Advanced threat sources such as ransomware may become commonplace.
  • Fear of sharing. Hacked or breached entities may fear repercussions (further compromise, lawsuits, fines, investigations) if they share information about their compromise.

The risks associated with compromised device cybersecurity are widespread and affect both manufacturers and users. It is with good reason that cybersecurity is front and center with FDA. However, the constantly- evolving threat landscape means that device manufacturers cannot manage risk, including risk of patient harm, to zero. The goal at all stages of the product lifecycle is risk management rather than risk elimination.

While the Guidance is specific to the postmarket period of the device lifecycle, FDA has also issued final guidance for the premarket period: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (October 2014) ("Premarket Guidance"). The Premarket Guidance espouses three key principles:

  1. Medical device security is a "shared responsibility among stakeholders," including health care facilities, patients, providers, and medical device manufacturers.
  2. Manufacturers should address cybersecurity during device design and development.
  3. Manufacturers should establish cybersecurity-related design inputs for medical devices, and establish an approach to managing cybersecurity vulnerabilities as part of the software validation and risk analysis required by 21 CFR 820.30(g). This should include identifying assets, threats, and vulnerabilities; assessing the impact of cybersecurity threats and device vulnerabilities on device functionality and end users; assessing the likelihood that a threat will occur and exploit a vulnerability; determining risk levels and appropriate mitigation strategies; and assessing residual risk and risk assessment criteria.

FDA designed the final Guidance to advance five important goals:

  1. Ensuring that risks to public health are addressed in a continuous and timely fashion (accomplished through use of a risk-based framework).
  2. Articulating manufacturer responsibilities in the postmarket period (accomplished by leveraging existing Quality System Regulation and postmarket authorities).
  3. Fostering a collaborative and coordinated approach to information sharing and risk assessment.
  4. Aligning with Presidential Executive Orders and the NIST Framework, including Executive Order 13636, Improving Critical Infrastructure Cybersecurity (February 19, 2013), and Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing (February 13,  2015).[8]
  5. Incentivizing the "right" behavior.
Manufacturers should keep these goals in mind when assessing and evaluating the Guidance – how does each recommendation, and the recommendations as a whole, advance FDA's goals?

Several important changes occurred from the draft to the final Guidance:

  • The informal "safe harbor" for non-reporting of device vulnerabilities associated with uncontrolled risk of patient harm now includes a 60-day remediation timeframe (increased from 30 days);
  • The postmarket goal of maintaining "essential clinical performance" has been changed to maintaining "safety and essential performance," and is scoped to risk of patient harm;
  • FDA provides specific criteria for "active participation" in an ISAO, as related to the informal "safe harbor" requirements; and
  • The scope of risk to "patient harm" has been clarified to exclude privacy and confidentiality harms.

Patient harm may occur if an exploited vulnerability compromises device safety and essential performance.
Manufacturers must, therefore, identify device safety and essential performance as part of their postmarket cybersecurity risk management. The Guidance does not define "essential performance," but the recent FDA webinar states that the term encompasses device functions that "must remain operational" for the device to fulfill its intended use.[9]

Manufacturers must assess the risk of patient harm that will result if a cybersecurity threat triggers a device vulnerability and impacts device safety and essential performance. Risk of patient harm in this situation is a function of two variables: exploitability and severity.

1. Assessing Exploitability.
Exploitability is the ease with which the cybersecurity threat can trigger the device vulnerability. Assessing exploitability necessarily involves identifying and analyzing the threat source itself. Threat sources may be adversarial (hostile cyber or physical attacks); accidental (human errors of omission or commission); structural (failures of organization-controlled resources, such as hardware, software, environmental controls); and environmental (natural and man- made disasters, accidents, and failures beyond the organization’s control).[10] The manufacturer should consider as many credible sources as possible to obtain information on threat sources.

FDA recommends using a scoring system to assess exploitability and rate the urgency of a response.
Factors contributing to the exploitability assessment may include:
  • Location of the attack vector
  • Complexity of the attack
  • Privileges required to exploit the vulnerability
  • User interaction required to exploit the vulnerability
  • Impact on data confidentiality
  • Impact on data integrity
  • Impact on data availability
  • Maturity of the exploit code
  • Remediation level (e.g., unavailable, work-around, temporary fix, official fix)
  • Report confidence (e.g., confirmed, reasonable, unknown)

The Guidance suggests several existing resources manufacturers can leverage to establish a repeatable process for assessing exploitability, such as the "Common Vulnerability Scoring System," Version 3.0.

2. Assessing Severity.

Manufacturers can use qualitative levels to assess the severity of patient harm resulting from an exploited cybersecurity vulnerability. Severity levels may include:

Severity Level Exploited Vulnerability Results in…
Negligible Inconvenience or temporary discomfort
Minor Temporary injury or impairment not needing professional medical intervention
Serious Temporary injury or impairment needing professional medical intervention
Critical Permanent impairment or life-threatening injury
Catastrophic Death
Manufacturers can leverage existing tools to establish a repeatable process for assessing severity.

3. Assessing Risk of Patient Harm: Controlled, or Uncontrolled?

FDA recommends that device manufacturers use their assessments of exploitability and severity to make a "binary determination" of whether the risk of patient harm resulting from exploitation of an identified device vulnerability is controlled (acceptable) or uncontrolled (unacceptable). This should result from an "established process that is tailored to the product, its safety and essential performance, and the situation."[11] This determination will drive remediation efforts and vulnerability reporting requirements.

One way to assess whether residual risk of patient harm is controlled or uncontrolled is to plot exploitability against severity, considering compensating controls. Using a fact-specific analysis, the manufacturer might determine that a vulnerability at high risk for exploitation presents a controlled risk of patient harm because the resulting health impacts (with or without compensating controls) would be negligible. Conversely, the manufacture might determine that a vulnerability at low risk for exploitation presents an uncontrolled risk of patient harm because the resulting health impacts (with or without compensating controls) would be catastrophic.

4. Remediating and Reporting Cybersecurity Vulnerabilities

FDA generally (and naturally) recommends "efficient, timely, and ongoing cybersecurity risk management" at all stages of the device life cycle. To reduce the risk of patient harm resulting from cyber-threats exploiting device vulnerabilities, manufacturers should:

  • Adopt coordinated vulnerability disclosure policies and procedures;[12]
  • actice good cyber hygiene;[13]
  • Regularly revisit cybersecurity risk assessments;
  • Seek opportunities to reduce cybersecurity risks even when residual risk is controlled;
  • Remediate vulnerabilities to reduce the risk of patient harm to a reasonable and acceptable level;
  • Conduct appropriate software validation "to assure that any implemented remediation effectively mitigates the targeted vulnerability without intentionally creating exposure to other risks;"
  • Properly document cybersecurity controls in device design, manufacture, packaging, labeling, storage, installation, and servicing;
  • Implement compensating controls[14] when necessary to reduce the risk to patient harm presented by a cybersecurity vulnerability, "particularly when new device design controls … may not be feasible or immediately practicable;"
  • Present end users with "relevant information on recommended device and compensating controls and residual cybersecurity risk;" and
  • Assess whether changes to strengthen device security significantly affect functionality (and determine whether additional regulatory actions are  appropriate).[15]
FDA also offers specific recommendations for postmarket risk management, depending on whether an identified device vulnerability results in controlled (acceptable) or uncontrolled (unacceptable) risk of patient harm.

1. No Identified Vulnerability or Risk of Patient Harm
Device manufacturers may choose to implement postmarket enhancements even when there is no identified risk of patient harm. Enhancements fall outside the Act's 10-day reporting requirements. While the Act itself does not define "enhancement," FDA guidance entitled Distinguishing Medical Device Recalls from Medical Device Enhancements (October 2014) provides that an enhancement is a "change to improve the performance or quality of a device that is … not a change to remedy a violation of the [Act] or associated regulations …."[16]

In the cybersecurity context, device enhancements include cybersecurity routine updates and patches – "changes to a device to increase device security and/or remediate only those vulnerabilities associated with controlled risk of patient harm."[17] These include regularly-scheduled security updates or patches to a device, such as upgrades to software, firmware, programmable logic, or hardware to increase device security. For purposes of the Guidance, they also include device changes made solely to address a vulnerability that, if exploited, could lead to a compromise of protected health information. [18] Both of these types of cybersecurity routine updates and patches occur outside the risk of patient harm.

2. Vulnerabilities Resulting in Controlled (Acceptable) Risk of Patient Harm

Cybersecurity routine updates and patches also include "updates or patches to address vulnerabilities associated with controlled risk [of patient harm] performed earlier than their regularly scheduled deployment cycle …."[19] Device manufacturers may deploy these controls as part of a layered or "defense-in-depth" strategy. Such controls are also generally classified as enhancements and are not subject to the Act's 10-day reporting requirements. However, for premarket approval (PMA) devices with periodic reporting requirements,[20] "newly acquired information concerning cybersecurity vulnerabilities and device changes made as part of cybersecurity routine updates and patches should be reported to FDA in a periodic (annual) report."[21]
A device manufacturer receives a user complaint that a recent software security scan of the PC component of a class III medical device indicated that the PC is infected with malware. The manufacturer's investigation confirms the presence of malware designed to collect internet browsing information. While the malware has actively collected browsing information, the collection has not and will not impact the device's safety and essential performance. The manufacturer's risk assessment determines that there is a controlled risk of patient harm resulting from the device vulnerability. Since the risk of patient harm is controlled, the manufacturer's product updates will be considered a cybersecurity routine update or patch. The manufacturer need not provide a 10-day report to FDA under 21 CFR 806.10. However, because the device is a class III device, the manufacturer should report the device changes to FDA in its periodic (annual) report required for holders of an approved PMA, pursuant to 21 CFR 814.84.

3. Vulnerabilities Resulting In Uncontrolled (Unacceptable ) Risk of Patient Harm

Manufacturers should remediate controlled risks "as quickly as possible."[22] Recommended activities to address vulnerabilities associated with uncontrolled risk include:
1. Remediating the vulnerability to reduce risk of patient harm to an appropriate level. Absent remediation, a device with an uncontrolled risk of patient harm, may be considered in violation of the Act and subject to enforcement or other action.

2. Identifying and implementing appropriate mitigation strategies and compensating controls.

3. Providing consumers and users "relevant information" on recommended controls and residual risks to allow them to mitigate risk and make informed decisions about device use.

4. Making 10-day reports to FDA under 21 CFR part 806, unless reported to FDA under 21 CFR part 803 (medical device reporting) or 1004 (repurchase, repairs, or replacement of electronic products).[23] However, FDA "does not intend to" enforce reporting requirements under 21 CFR part 806 under the following circumstances:
  • There are no known serious adverse events or deaths associated with the vulnerability;
  • As soon as possible (but in any case, within 30 days of learning of the vulnerability), the manufacturer communicates with "customers and the user community," identifies interim compensating controls that do not introduce additional risk to safety or essential performance, and develops a plan (with a documented timeline) to reduce risk of patient harm to an appropriate level. The customer/user communication must: (1) describe the vulnerability and its assessed impact based on the manufacturer's current understanding; (2) state that the manufacturer is endeavoring to address the risk of patient harm "as expeditiously as possible;" (3) describe any compensating controls; and (4) state that the manufacturer is working to fix the vulnerability or provide a defense-in-depth strategy to reduce exploitability and/or severity, and will communicate about the availability of a fix;
  • As soon as possible (but in any case, within 60 days of learning of the vulnerability), the manufacturer fixes the vulnerability, validates the device change, and distributes the deployable fix to its customers and user community such that the residual risk is reduced to an acceptable level.[24] The manufacturer should provide follow-up as needed beyond 60 days; and
  • The manufacturer "actively participates" as a member of an Information Sharing Analysis Organization (ISAO)[25] that shares vulnerabilities and threats that impact medical devices, such as NH-ISAC,[26] and provides the ISAO with any customer communications.[27]
During development, a manufacturer incorporates into a class II device a vulnerability known to the security community, but unknown to the manufacturer. After clearance, the manufacturer becomes aware of the vulnerability and determines that the device continues to meet specifications, and that no malfunctions or patient injuries have been reported. There is no evidence that the vulnerability has been exploited. However, the manufacturer determined that the vulnerability introduced a new failure mode to the device that impacts its critical performance. The device design controls do not mitigate the risk.
The manufacturer conducts a risk assessment and determines that the risk of patient harm is uncontrolled without additional mitigations. The manufacturer does not currently have a software update to mitigate the impact of the vulnerability on the device’s essential performance. Within 30 days of learning of the vulnerability, the manufacturer notifies its customers, the ISAO, and the user community of the cybersecurity risk and instructs them to disconnect the device from the hospital network to prevent unauthorized access to the device. The manufacturer’s risk assessment concludes that the risk of patient harm is controlled with this additional mitigation. The manufacturer determines that removing the device from the network is not a viable long-term solution, and distributes a patch within 60 days of learning of the vulnerability. If the manufacturer is an active participating member of an ISAO, FDA does not intend to enforce compliance with the reporting requirement under 21 CFR part 806.
5. Including remediation of devices with annual reporting requirements (e.g., class III devices) in the annual reports.
6. Evaluating device changes to assess the need to submit a premarket submission (e.g., PMA supplement, 510(k)) to FDA.

7. For PMA devices with periodic reporting requirements under 21 CFR 814.84, reporting to FDA in periodic (annual) report information about the vulnerability, and the device changes and compensating controls implemented in response.[28] The report should include:
  • A brief description of the vulnerability and how the manufacturer became aware of it;
  • A summary of the manufacturer's risk assessment, including determination of whether the risk of patient harm was controlled or uncontrolled;
  • A description of changes made, "including a comparison to the previously approved version of the device;"
  • The manufacturer's rationale behind the changes;
  • Reference to other submissions/devices modified in response to the vulnerability;
  • Identification of events related to the rationale/reason for the device changes (e.g., MDR numbers; recall numbers);
  • Unique Device Identification, if available;
  • A link to an ICS-CERT advisory or other government or ISAO alert, if applicable;
  • All distributed customer notifications;
  • The name of the ISAO to which the vulnerability was reported, if any; and
  • Reference to other relevant submissions, if any (e.g., PMA Supplement, 30-Day Notice, 806 report), or the "scientific and/or regulatory basis for concluding that the change did not require a submission/report."[29]

Medical device cybersecurity is a growing concern, and will only broaden and deepen with the proliferation of smart medical devices. Manufacturers must strive to identify and evaluate cybersecurity threats and device vulnerabilities – and to manage resulting risks of patient harm – throughout the device lifecycle. Dr. Suzanne Schwartz, Associate Director for Science and Strategic Partnerships at FDA's Center for Devices and Regulatory Health, recently remarked:

FDA's approach [to medical device cybersecurity] is grounded in the total product lifecycle framework driving towards an ethos of continuous quality improvement. As a community, it’s essential we maintain a holistic, end to end view of medical device security from its initial stages of design through its use lifespan until it is obsolete. Anything less than that would misalign with the nature and the very landscape of security of the Internet of Things where vulnerabilities evolve and new threats emerge demanding continuous vigilance.[30]
The FDA's final Guidance helps clarify manufacturers’ responsibilities for device cybersecurity in the postmarket phase. FDA's "bottom line:" manufacturers must implement a proactive, comprehensive cybersecurity risk management program for each marketed medical device. They must also engage in collaborative information sharing to appropriately manage threats, vulnerabilities, and risk of patient harm.

Health care is a sector of critical infrastructure for the Nation, but is widely thought to be a "soft target" for significant cyberattack.[31] Diligent attention to postmarket device cybersecurity is a critical step to removing health care from the crosshairs.

For more information on the IoT and Smart Health Care, contact Kimberly Metzger, Taryn Stone or a member of our Internet of Things Industry Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

[1] A "correction" is a device repair, modification, adjustment, relabeling, destruction, or inspection (including patient monitoring) made without physically removing the device from its point of use to some other location. (21 CFR 806.2(d)). A "removal" is the physical removal of a device from its point of use to some other location for repair, modification, adjustment, relabeling, destruction, or inspection. (21 CFR 806.2(j)).
[2] 21 CFR 806.10(a).
[3] The Guidance is the latest in a series of guidance documents and safety communications addressing cybersecurity throughout the medical device lifecycle. These include FDA's Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (draft issued June 14, 2013; final issued October 2, 2014). Key principles include cybersecurity as a shared responsibility among device stakeholders; the need to address cybersecurity during product design and development; and the need to establish design inputs for device cybersecurity, and establish a cybersecurity vulnerability and management approach, as part of software validation and risk analysis required by 21 CFR 820.30(g).
[4] Guidance, p. 11.
[5] Guidance, p. 12.
[6] See, e.g., NIST Interagency Report (NISTIR) 7298, Glossary of Key Information Security Terms (May 2013) (defining “risk”).
[7] Medical Device Cybersecurity: Year in Reflection and Looking Ahead. Presentation at FDA's Moving Forward: Collaborative Approaches to Medical Device Cybersecurity (January 20, 2016).
[8] EO 13636 recognized that resilient infrastructure is essential to preserving national security, economic stability, and public health and safety. It states that cyber threats to national security are among the most serious, and that stakeholders must enhance the cybersecurity and resilience of critical infrastructure. EO 13691 encouraged the development of Information Sharing Analysis Organizations (ISAO) to serve as focal points for cybersecurity information sharing and collaboration within the privacy sector, and between the private sector and government.
[9] The definition is derived from the American National Standards Institute/Association for the Advancement of Medical Instrumentation (ANSI/AAMI) ES6060-1: Medical electrical equipment – Part 1: General Requirements for basic safety and essential performance.
[10] Risk Assessment Guide, p. 8 and Appendix D.
[11] Guidance, p. 17.
[12] ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure is a recommended resource.
[13] While the Guidance does not define "cyber hygiene," the New York State Office of Information Technology Services offers a concise and effective definition: "protecting and maintaining systems and devices appropriately and using cyber security best practices." Cyber hygiene incorporates such concepts as knowing what's connected to the network; implementing key security systems; limiting and controlling administrative privileges; and regularly updating applications, software, and operating systems.
[14] "Compensating controls" are safeguards or countermeasures deployed in lieu of, or in the absence of, controls designed in by the device manufacturer. (Guidance, p. 9).
[15] Guidance, pp. 18-19.
[16] Examples of "enhancements" include changes made to better meet user needs, changes to make the device easier to manufacture, changes to improve a non-violative device's safety or performance, and changes to device appearance that do not affect its use.
[17] Guidance, pp. 9-10.
[18] Guidance, p. 20.
[19] Guidance, p. 9.
[20] See 21 CFR 814.84.
[21] Guidance, p. 20.
[22] Guidance, p. 21.
[23] See 21 CFR 806.10(f).
[24] In some cases, "a compensating control could produce a long-term solution provided the risk of patient harm is brought to an acceptable level." Controls should not introduce additional risk to device safety or essential performance. (Guidance, p. 22).
[25] ISAOs are a product of Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing (February 13, 2015), and serve as focal points for cybersecurity information sharing and collaboration within the private sector, and between the private sector and government.
[26] For each of the nation’s "critical infrastructures," a designated private sector-led Information Sharing & Analysis Center (ISAC) is entrusted with advancing physical and cybersecurity protection by "establishing and maintaining collaborative frameworks for operational interaction between and among members and external partners." The National Health ISAC (NH-ISAC) is the "tactical and operational arm advancing national healthcare and public health critical infrastructure resilience – all hazards (cyber and physical) security intelligence situational awareness analysis and reporting, secure trusted two-way information sharing, countermeasure solutions, incident response, leading practice and education."
[27] The ISAO must have "documented policies pertaining to participant agreements, business processes, operating procedures, and privacy protections," and the manufacturer must have "documented processes for assessing and responding to vulnerability and threat intelligence information received from the ISAO. This information should be traceable to medical device risk assessments, countermeasure solutions, and mitigations." (Guidance, p. 26).
[28] Guidance, pp. 22-23.
[29] Guidance, p. 25.
[30] Remarks of Dr. Suzanne B. Schwartz, FDA webinar, Postmarket Management of Cybersecurity In Medical Devices, Final Guidance (January 12, 2017).
[31] Id.
View Full Site View Mobile Optimized