Key takeaways from the guidance include:
- Cybersecurity programs should be documented, systematic and comprehensive.
- Cybersecurity should be considered throughout the medical device’s entire lifecycle.
- Cybersecurity evaluations should consider a broad range of credible information and potential threats that could compromise a medical device’s essential functions.
Manufacturers should account for cybersecurity by designing cybersecurity-related inputs for their devices and incorporating a cybersecurity management approach that determines (1) assets, threats and vulnerabilities; (2) how threats and vulnerabilities could affect device functionality and end users/patients; (3) the likelihood of threats and exploitation of vulnerabilities; (4) risk levels and suitable mitigation strategies; and (5) residual risk and risk acceptance criteria. FDA provided the same recommendations in its 2014 premarket guidance.
Adequate postmarket cybersecurity management requires a program that is systematic, structured, documented, consistent with the Quality System Regulation (21 C.F.R. Part 820), and incorporates the National Institute of Standards and Technology’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity (cybersecurity guidelines NIST created pursuant to a presidential executive order and with input from public and private stakeholders).
Key components include:
- monitoring quality cybersecurity information sources—such as complaints, service records and data provided through Information Sharing Analysis Organizations (ISAOs)—for identification and detection of vulnerabilities and risk;
- establishing, communicating and documenting processes for vulnerability intake and handling;
- understanding, assessing and detecting the presence and impact of vulnerabilities;
- clearly defining essential clinical performance to develop mitigations that protect, respond and recover from cybersecurity risk;
- adopting a coordinated vulnerability disclosure policy and practice; and
- deploying mitigations that address cybersecurity risk early and before exploitation.
Acknowledging that not all vulnerabilities threaten patient safety and that manufacturers may not be able to identify every threat, the guidance advises manufacturers to identify a device’s “essential clinical performance” and focus on identifying and resolving risks to that performance. Manufacturers should define a device’s essential clinical performance by considering the conditions necessary for the device to operate safely and effectively. Manufacturers should assess a vulnerability’s risk by evaluating its exploitability and health dangers resulting from its exploitation. The draft guidance recommends tools for each evaluation: the Common Vulnerability Scoring System v3.0 for exploitability and the standards in ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – 442 Application of Risk Management to Medical Devices for health dangers caused by exploitation.
The guidance divides risks into two groups and recommends manufacturers do the same. Low or “controlled” risk exists when, after accounting for existing controls, there is an acceptable amount of risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability. High or “uncontrolled” risk exists when insufficient controls and mitigations create an unacceptable amount of risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability.
A risk’s classification affects whether a manufacturer can address the risk without reporting the risk and its remediation to FDA under 21 C.F.R. Part 806, which obligates manufacturers to report when they repair, modify or adjust a device to reduce the device’s health risk. Manufacturers can ameliorate controlled risks without reporting the risk or enhancement under Part 806. (But for Class III devices, manufacturers must disclose the risk and the remediation in their periodic reports to FDA under 21 C.F.R. § 814.84.) Uncontrolled risks are a different matter: manufacturers must report them and their remediation unless (1) there are no known serious adverse events or deaths associated with the vulnerability; (2) within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users; and (3) the manufacturer participates in an ISAO.
What the Draft Guidance Means for Device Manufacturers
To see how their programs measure up to what the draft guidance describes, device manufacturers should start by asking these key questions:
- Is our cybersecurity management program addressing cybersecurity throughout each device’s lifecycle?
- Is our program proactive?
- Should we use quality data security sources, such as ISAOs?
- Do we need to develop and deploy new training or messaging to colleagues about cybersecurity?
- Are we using good cyber hygiene?