FDA Issues Final Guidance Document on Postmarket Cybersecurity for Medical Devices

Cybersecurity vulnerabilities can emerge throughout a device’s lifecycle and potentially result in patient harm or financial losses for providers.

From X-ray systems and backend EMRs or networking interfaces to insulin pumps and mobile software applications, cybersecurity vulnerabilities can emerge throughout a device’s lifecycle and potentially result in patient harm or financial losses for providers.

The US Food and Drug Administration (FDA) is encouraging medical device manufacturers to be more vigilant and build in safeguards throughout the product lifecycle to reduce health and safety risks.

To help structure measures against the evolving threat, on December 27, 2016, the FDA issued its final guidance document, Postmarket Management of Cybersecurity in Medical Devices, which clarifies the agency’s recommendations for managing postmarket cybersecurity vulnerabilities for medical devices. The recommendations apply to current and future marketed and distributed medical devices that are part of an interoperable system, contain software or firmware, or are software applications themselves. This guidance serves as a supplement to the agency’s previously released guidance document, Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.

Key Principles of the New Guidance

• Medical device manufacturers should monitor, identify, and address cybersecurity exploits and vulnerabilities through the establishment of effective postmarket cybersecurity management processes
• A risk-based framework should be used for  assessing when cybersecurity-related device changes should be reported to the FDA
• Cybersecurity risk management is a shared responsibility among stakeholders including the medical device manufacturer, the user, the Information Technology (IT) system integrator, Health IT developers, and IT vendors

Agency Recommendations for a Medical Device Manufacturer’s Quality Management System

• Methods to monitor, identify, characterize, and assess cybersecurity vulnerabilities
• Methods to analyze, detect, and assess threat sources
• Processes for intake and handling of identified vulnerabilities
• Processes for verification and validation of software updates and patches for remediation of vulnerabilities
• Policy for vulnerability disclosure and practice
• Threat modeling to define how to maintain the safety and effectiveness of a medical device by developing mitigations that protect, respond and recover from cybersecurity risk

The agency encourages the use and adoption of the voluntary Framework for Improving Critical Infrastructure Cybersecurity that has been developed by the National Institute of Standards and Technology (NIST) with collective input from other government agencies and the private sector.  The guidance includes further detail on how a manufacturer can align with this framework in the guidance’s appendix.  

In addition, the agency encourages medical device manufacturers to participate in an Information Sharing Analysis Organization (ISAO). ISAOs gather and analyze critical infrastructure information in order to better understand cybersecurity problems and interdependencies; to communicate or disclose critical infrastructure information to help prevent, detect, mitigate, or recover from the effects of cyber threats; and to voluntarily disseminate critical infrastructure information to its members or others involved in the detection and response to cybersecurity issues.

In alignment with this final guidance from the FDA, ICON will continue to recommend that clients incorporate the management of cybersecurity risks into their risk management program and will encourage clients to consider using a cybersecurity vulnerability assessment tool, and engage with an ISAO. ICON can assist clients in developing cybersecurity programs that proactively control cybersecurity risk. These solutions are device-specific, but typically include removing cybersecurity vulnerabilities or instructing users to incorporate a compensating control as an external safeguard. 

For assistance with establishment of a cybersecurity management process or a cybersecurity documentation review to ensure compliance with current regulations, please contact ICON.