Is Your Medical Device Cybersecure? FDA Issues Draft Guidance on Postmarket Cybersecurity in Medical Devices
Recently, the U.S. Food and Drug Administration (FDA) issued draft guidance outlining the agency’s recommendations for Postmarket Management of Cybersecurity in Medical Devices. The guidance is applicable to medical devices that contain software (including firmware) or programmable logic, as well as software that meets the definition of a medical device. The guidance does not apply to experimental or investigational medical devices. Comments on the draft guidance are due by April 21, 2016.
The draft guidance emphasizes that manufacturers should proactively monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices. FDA defines “vulnerability” as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat.” The draft guidance defines “exploit” to mean “an instance where a vulnerability or vulnerabilities have been exercised (accidently or intentionally) and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system.”
The draft guidance explains that for a small subset of cybersecurity vulnerabilities and exploits that may compromise “the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death,” the FDA would require medical device manufacturers to notify the agency under 21 CFR 806.10. This section generally requires device manufacturers to notify FDA in writing within 10-working days of any correction (e.g., repair, modification, adjustment, relabeling) or removal of a device that was initiated to (1) reduce a risk to health posed by the device; or (2) remedy a legal/regulatory violation caused by the device that may present a risk to health. FDA’s guidance defines “essential clinical performance” to mean “performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer.” Thus, FDA explained that manufacturers should “define, as part of risk management, the essential clinical performance of their device, the resulting severity outcomes if compromised, and the risk acceptance criteria,” taking into consideration the requirements necessary to achieve device safety and effectiveness.
Further, the guidance recommends that the process to assess the cybersecurity risk to a device’s essential clinical performance should consider: (1) the exploitability of the cybersecurity vulnerability; and (2) the severity of the health impact to patients if the vulnerability were to be exploited. The guidance also recommends that manufacturers evaluate whether the risk to essential clinical performance of the device is controlled (acceptable) or uncontrolled (unacceptable).
Source: Lexology – Arnold & Porter LLP – Ronald D. Lee, Vernessa T. Pollard and Abraham Gitterman