Introduction
Many medical devices currently in commercial distribution today incorporate some type of software. Some devices use software to control certain aspects of the device or perform data analysis while others use it to connect to the Internet and health care provider networks for monitoring and sharing data.
The U.S. Food and Drug Administration (FDA) is becoming increasingly concerned about the vulnerability of these devices to hacking, jeopardizing their safety and efficacy while putting patients at risk. In response to this increased threat, the FDA recently published a guidance document called the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and, as a part two to their cybersecurity efforts, has issued a draft guidance document entitled Postmarket Management of Cybersecurity in Medical Devices.
Suzanne Schwartz, M.D., M.B.A., the associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health said, “All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities — some we can proactively protect against, while others require vigilant monitoring and timely remediation. (The) draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”
Cybersecurity Risk Management Program
The FDA believes employing a proactive “risk-based approach to characterizing vulnerabilities, and timely implementation of necessary actions can further mitigate emerging cybersecurity risks and reduce the impact to patients.” Cybersecurity risks should be incorporated into an effective risk management program in compliance with the Quality System Regulation (21 CFR part 820) and be evaluated similar to device design, manufacturing, and use risks with the intent “to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.”
The FDA also strongly recommends that manufacturers participate in cybersecurity information sharing and analysis organizations (ISAO) as a way to share cyber security information. The organization also encourages the use and adoption of the voluntary Framework for Improving Critical Infrastructure Cybersecurity that has been developed by the National Institute of Standards and Technology (NIST).
Critical components for an effective cybersecurity risk management program in compliance with the Quality System Regulation (21 CFR part 820) include the following:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
- Understanding, assessing and detecting presence and impact of a vulnerability
- Establishing and communicating processes for vulnerability intake and handling
- Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
Essential Clinical Performance and Risk Mitigation
The FDA developed the concept of Essential Clinical Performance within this draft guidance and defines it as:
“Essential clinical performance means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm.”
The FDA states “a key purpose of conducting the cyber-vulnerability risk assessment is to evaluate whether the risk to essential clinical performance of the device is controlled (acceptable) or uncontrolled (unacceptable).” It is recommended that such a process focus on assessing the risk to the device’s essential clinical performance by considering the exploitability of the cybersecurity vulnerability and the severity of the health impact to patients if the vulnerability were to be exploited. Such analysis should also incorporate consideration of compensating controls and risk mitigations.
Exploitation of Cybersecurity Vulnerability
FDA defines vulnerability as “a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat” and recommends manufacturers develop a process to evaluate potential exploitability of a cybersecurity vulnerability.
Risk-based techniques are acceptable for evaluating the probability of an exploit; however the FDA recommends manufacturers consider using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency of the response.
Based on this assessment, the exploitability of an identified vulnerability can help determine the extent of the compromise to the essential clinical performance of a device.
Uncontrolled Risks and FDA Enforcement
With the publication of guidance document Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and this Postmarket Management of Cybersecurity in Medical Devices draft guidance, the FDA has identified the need for manufacturers to focus on cybersecurity risk management activities to mitigate uncontrolled risks. The FDA defines an uncontrolled risk as:
“Uncontrolled risk is present when there is unacceptable residual risk that the device’s essential clinical performance could be compromised due to insufficient compensating controls and risk mitigations.”
The FDA states that “If the risk to essential clinical performance is assessed as uncontrolled, additional risk control measures should be applied” and “In the absence of remediation, a device with uncontrolled risk to its essential clinical performance may be considered to have a reasonable probability that use of, or exposure to, the product will cause serious adverse health consequences or death. The product may be considered in violation of the FD&C Act and subject to enforcement or other action.”
Cybersecurity vulnerability is a very real and growing threat to medical device manufacturers, their products, and the patients who depend upon them. It’s critical that manufacturers take this threat seriously and address it rigorously.