Postmarket surveillance is a crucial aspect of medical device safety and cybersecurity risk management. It is the primary means of gathering information about how your device performs in the real world so you can make improvements that deliver better diagnoses or therapies. The customer feedback process is a key entry point for field performance information into the quality management system.
US FDA requires a “cybersecurity management plan” be included in premarket submissions for medical devices (“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”) and provides guidance for creating an effective postmarket cybersecurity program (“Postmarket Management of Cybersecurity in Medical Devices”). The Medical Device Coordination Group provides similar guidance for postmarket surveillance and vigilance as part of their MDCG 2019-16 guidance (“Guidance on Cybersecurity for medical devices”) fulfilling security and postmarket surveillance requirements of the European Union’s Medical Device Regulation (2017/745) or In Vitro Diagnostic Regulation (2017/746).
The common goals of the postmarket surveillance system include:
- Monitoring safety and essential performance of fielded devices, including cybersecurity signals as they relate to safety
- Update threat models and cybersecurity risk assessments of fielded devices, including monitoring for novel threats and vulnerabilities
- Respond to cybersecurity incidents
- Remediate vulnerabilities with patches and updates
- Share security information with relevant stakeholders
Effective postmarket cybersecurity surveillance requires processes in place to monitor emerging threats and vulnerabilities. While this can be done in-house, it requires significant information technology and manpower resources to keep up with the rapidly evolving threat landscape. There are some automated solutions, and vendors are available to help you monitor your SBOM for new vulnerabilities and issue appropriate patches.
You can leverage existing quality management system elements to implement your cybersecurity postmarket surveillance system.
- Identify cybersecurity signals through tracking and trending mechanisms. Link your feedback and complaint handling system to your cybersecurity risk management file, e.g., through IMDRF coding using A1105 codes, and monitor for problems.
- At least initially, evaluate each potential cybersecurity signal to determine whether a new vulnerability or cybersecurity incident has been detected. Include returned goods analysis and failure analysis in your surveillance program to ensure you do not miss a critical signal.
- Respond to a detected new vulnerability by activating a coordinated vulnerability disclosure program as required by FDA guidance. You can use your existing processes to communicate with stakeholders whether they are customers, patients, regulators or others. If a cybersecurity signal represents an actual cybersecurity incident, you could investigate through existing mechanisms and potentially activate a field action process as part of your incident response.
- Ultimately, you will need a way for your devices to recover to a state that is secure and can deliver safe and effective performance. Here you activate your problem resolution process to identify root causes, develop and test patches or updates, and deploy the fixes to the field (possibly through a field action process).
The above is not a comprehensive list of cybersecurity touchpoints throughout the medical device quality management system. Hopefully, it provides a starting point for you to think through the implications of securing your medical devices throughout their entire product life cycle including after product launch.
References
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, US Food & Drug Administration, September 27, 2023.
Postmarket Management of Cybersecurity in Medical Devices, US Food & Drug Administration, December 28, 2016.
MDCG 2019-16 Rev.1, Guidance on Cybersecurity for medical devices, Medical Device Coordination Group, July, 2020.
2017/745, REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC.
2017/746, REGULATION (EU) 2017/746 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU.
IMDRF Terminologies for Categorizing Adverse Event Reporting, International Medical Device Regulators Forum, https://www.imdrf.org/consultations/imdrf-terminologies-categorized-adverse-event-reporting-terms-terminology-and-codes.
Gregg Van Citters – Senior Software Quality Engineer