FDA - Postmarket Management of Cybersecurity in Medical Devices

It seems almost impossible in today’s world to escape our dependence on technology. From the minute we wake-up in the morning, we access news reports on our tablets, keep track of our health with fitness trackers, receive and respond to e-mails on our mobile phones, and many of us rely upon interconnected medical devices, such as insulin pumps, to safely navigate through a typical day.  But such convenience is not without risk. 

Medical devices, like all interconnected technology, can be vulnerable to security breaches, which “may compromise the essential clinical performance of a device” and potentially impact patient safety.  The Food and Drug Administration (“FDA”) thoroughly understands this benefit v. risk balance, and has issued a number of recommendations that address comprehensive cybersecurity over the lifecycle of medical device products.  Most recently, on December 27, 2016, the FDA issued its final Guidance on Postmarket Management of Cybersecurity in Medical Devices.  The recommendations apply to medical devices that use software, including programmable logic and software that is regulated as a medical device, including mobile medical apps.  You can link to the full text of the Guidance here.  This final Guidance closely resembles a draft of the document, issued for comment almost a year prior.  For more details on our take of the draft Guidance, see our prior series “FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices” posted in four parts here, here, here, and here.  This Postmarket Guidance also follows the FDA’s Guidance on medical device premarket cybersecurity, issued in October 2014, discussed in more detail here.

The final Guidance outlines steps that medical device manufacturers and health care systems should take to monitor, identify, understand and address cybersecurity risks once medical devices and mobile medical devices have entered the marketplace.  Yet, don’t allow the “guidance” nature of the document fool you into believing its recommendations are optional, as the FDA takes the position that manufacturers are required to ensure the safety and efficacy of their medical devices, and should they choose not to follow this guidance, the device vendor must have in place another similar cybersecurity strategy in order to avoid regulatory scrutiny.

From this Guidance emerges two predominant concepts: 1) the Guidance, like its predecessor draft and the 2014 Premarket Guidance, follows a risk-based approach, i.e., guiding manufacturers to identify, assess, and mitigate risks that emerge after the device has been introduced to market; and 2) medical device cybersecurity and cybersecurity risk management must be proactively addressed throughout the entire lifestyle of a product, and is a shared responsibility among stakeholders including health care facilities, patients, providers, and manufacturers of medical devices.”[1]  In other words, cybersecurity controls should be incorporated into the design, development and manufacture of a device.  But after marketing and during patient use, the device should be continuously monitored, and cybersecurity concerns addressed.

As Suzanne B. Schwartz, the FDA’s associate director for science and strategic partnerships, stated in a blog post concurrent with the issuance of the Guidance itself, “[w]ith this guidance, we now have an outline of steps the FDA recommends manufacturers take to remain vigilant and continually address the cybersecurity risks of marketed medical devices.”[2]  “This approach enables manufacturers to focus on continuous quality improvement, which is essential to ensuring the safety and effectiveness of medical devices at all stages in the device’s lifecycle.”[3]  Essential to the FDA’s recommendations is the belief that device manufacturers implement comprehensive cybersecurity risk management programs and documentation which emphasizes “addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may result in patient harm. Manufacturers should respond in a timely fashion to address identified vulnerabilities.”[4]

Critical components of such a program include:

• Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
• Maintaining robust software lifecycle processes that include mechanisms for: 
  • monitoring third party software components for new vulnerabilities throughout the device’s total product lifecycle;
  • design verification and validation for software updates and patches that are used to remediate vulnerabilities, including those related to Off-the-shelf software;
• Understanding, assessing and detecting presence and impact of a vulnerability;
• Establishing and communicating processes for vulnerability intake and handling
• Note: The FDA has recognized ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Processes;
• Using threat modeling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond and recover from the cybersecurity risk;
• Adopting a coordinated vulnerability disclosure policy and practice. The FDA has recognized ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure which may be a useful resource for manufacturers; and
• Deploying mitigations that address cybersecurity risk early and prior to exploitation.[5]

It is further recommended that the program incorporate elements consistent with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover).  For more details on these concepts, please see our previous discussion, which can be found here.

Perhaps more important than the shared responsibility of risk mitigation in cybersecurity among all stakeholders, is the concept that, in the FDA’s view, cybersecurity risk management should revolve around assessing therisk to the device’s essential clinical performance, which focuses on assessing the risk of patient harm.[6]  As the Guidance explains, “[a] key purpose of conducting the cyber-vulnerability risk assessment is to evaluate whether the risk of patient harm is controlled (acceptable) or uncontrolled (unacceptable). One method of assessing the acceptability of risk involves using a matrix with combinations of “exploitability” and “severity of patient harm” to determine whether the risk of patient harm is controlled or uncontrolled.”[7]  This focus is achieved by considering:

(1)   The exploitability of the cybersecurity vulnerability, and

(2)   The severity of patient harm if the vulnerability were to be exploited.[8]

Such risk is to be assessed according to these two considerations on a sliding scale, which ranges from a controlled risk (low probability of a cybersecurity exploit with little impact on patient health) to an uncontrolled risk (high probability of an exploited vulnerability that seriously threatens patient safety or even patient death).  While in some cases the evaluation will yield a definite determination of controlled or uncontrolled, the possibility remains that not all situations will produce such distinct results.[9]

The Guidance provides that manufacturers should have processes for assessing the exploitability of a cybersecurity vulnerability as well as the severity of patient harm, if the cybersecurity vulnerability were to be exploited. The FDA suggests using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency of the response, such as the “Common Vulnerability Scoring System,” Version 3.0.[10]  Many adequate methodologies may be utilized to analyze the potential severity of patient harm, yet the Guidance highlights an approach based on qualitative severity levels as described in ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices.[11]  These levels range from Negligible (inconvenience or temporary discomfort) to Catastrophic (resulting in patient death).

The figure below shows the relationship between exploitability and severity of patient harm, and can be used to categorize the risk of patient harm as controlled or uncontrolled.[12]

 

While the FDA clearly distinguishes between a controlled risk and uncontrolled risk, even its illustrative chart above shows a large gray area of in-between, further acknowledging that it will not always be clear in which category the risk belongs.

The FDA Guidance then sets forth recommended proper responses to controlled and uncontrolled risks.  Controlled risk scenarios involve relatively minor issues, where there is sufficiently low (acceptable) risk of patient harm.  However, manufacturers are still encouraged to proactively promote good cyber hygiene and reduce cybersecurity risks even when residual risk is acceptable.[13]  Uncontrolled risks, on the other hand, require immediate intervention and remediation, and must be reported under 21 CFR part 806, unless:           

(1)   There are no known serious adverse events or deaths associated with the vulnerability;

(2)   The manufacturer communicates with its customers and user community regarding the vulnerability, identifies interim compensating controls, and develops a remediation plan to bring the risk to an acceptable level, as soon as possible, but no later than 30 days after learning of the vulnerability;

(3)   The manufacturer fixes the vulnerability, validates the change, and distributes the deployable fix to its customers and user community within 60 days; and,

(4)   The manufacturer actively participates as a member of an Information Sharing Analysis Organization or “ISAO.”[14]

Like its draft before it, the final Guidance additionally contains an essential practical element in its Appendix: “Elements of an Effective Postmarket Cybersecurity Program.”  The Appendix encompasses the totality of the FDA’s recommendations, in an easy to follow five-prong framework, consistent with the elements of the NIST Framework for Improving Critical Infrastructure Cybersecurity.  These prongs are: A) Identify, B) Protect/Detect, C) Protect/Respond/Recover, and D) Risk Mitigation of Safety and Essential Performance.[15]

All medical devices come with both risks and benefits.  While it may not always be clear whether a particular risk is categorized as controlled or uncontrolled, the FDA has been explicitly clear in both its Premarket and Postmarket Guidances that comprehensive cybersecurity and risk analysis must be addressed over the lifecycle of medical device products, keeping a primary focus on the risk of patient harm.