The FDA’s recently issued draft guidance on “Postmarket Management of Cybersecurity in Medical Devices” seeks to address some of the increasing concerns that medical device providers, regulators, and consumers have about postmarket cybersecurity standards related to medical devices. Because the consequences of cybersecurity breaches related to medical devices can be serious, manufacturers, health care facilities, and providers should take precautions to ensure that cybersecurity policies and protocols are thorough and up-to-date. It should be noted that this draft guidance is still in draft form and not to be implemented yet.
Imagine this scenario: A rogue agent gains access to the serial number on the Vice President’s pacemaker. The agent sends the number to an associate who remotely hacks his way through the device’s security framework and accelerates the Vice President’s heart rate, inducing a heart attack. Sound familiar? Fortunately, this was not a news report; rather, it was a plot line during the second season of Showtime’s television series Homeland. But like many science fiction predictions, this one has already found roots in reality. With the rapidly expanding Internet of Things, and with millions of medical devices now connected to the Internet, hackers have more devices to target every day. Many of these devices, like the pacemaker in Homeland, are essential to a customer’s health, and as a result security breaches should not be taken lightly.
Background
In February 2013, President Obama issued Executive Order 13636, which stated that cyber threats to national security are among the most serious our nation faces. Additionally, Presidential Policy Directive – 21 tasks Federal agencies to strengthen the security and resilience of critical infrastructure against physical and cyber threats. The FDA’s draft guidance borrows principles from these directives and represents the FDA’s current efforts to help strengthen cybersecurity in the rapidly-growing medical device market. Moreover, the FDA encourages manufacturers to apply the voluntary National Institute of Standards and Technology (“NIST”) framework in the development and implementation of their cybersecurity controls. Although the NIST framework only applies to critical infrastructure, the FDA encourages applying its principles broader than critical infrastructure and offers guideposts for companies to improve their cybersecurity posture.
Although the FDA’s guidance does not establish legally enforceable responsibilities, it does paint a picture of the FDA’s “current thinking” on this topic, though it should be noted that the draft guidance does not establish any rights for any person, and it is not binding on the public or the FDA, and medical device manufacturers retain the ability to use alternative approaches.
Focusing primarily on patient safety, the FDA recommends that medical device manufacturers monitor, identify, and respond to cybersecurity vulnerabilities and exploits during the postmarket management of their devices. The draft document also provides some guidance concerning reporting duties related to cybersecurity breaches.
General Principles Concerning Postmarket Regulation
The FDA states that its position is that medical device cybersecurity is a shared responsibility that implicates not just the manufacturer of medical devices, but also health care facilities, patients, and providers, though manufacturers are likely to be on the front line of any litigation.
The FDA stated its view that due to the continuing evolution of cybersecurity risks associated with medical devices, it is not possible to eliminate risks through premarket controls alone. Accordingly, manufacturers should[1] increase their postmarket cybersecurity risk management measures. The draft guidance suggests that medical device manufacturers focus on certain aspects, including:
- Identify problem areas in cybersecurity framework. This can be achieved through analysis of complaints, returned products, service records, and other sources of data that may help identify existing and potential cybersecurity risks. Many medical devices now contain or share internal records, statistics, and incident reports related to their performance. These metrics can be crucial for manufacturers to identify potential weaknesses in their cybersecurity armor before they are exploited.
- Characterize and assess the identified vulnerabilities with regards to exploitability and potential severity of impact to health. This includes establishing and communicating the process for receiving and managing vulnerability reports. The FDA guidance provides additional detail and recommends using a cybersecurity vulnerability assessment tool or similar scoring system in this process.
- Clearly define “essential clinical performance” of the medical device at issue in order to develop safeguards that protect, respond, and recover from the cybersecurity risk. Essential clinical performance is defined as “performance that is necessary to achieve freedom from unacceptable clinical risk.” In turn, an unacceptable clinical risk is one with high exploitability potential that poses a severe impact to health. The FDA admits that risk assessment may be difficult (i.e. manufacturers may struggle to categorize a risk as acceptable or unacceptable). Even so, the FDA recommends that manufacturers “make a binary determination that a vulnerability is either controlled or uncontrolled using an established process that is tailored to the product, its essential clinical performance, and the situation.”
- Adopt a coordinated vulnerability disclosure policy and practice. Clearly defining user expectations and allocating risks appropriately can save manufacturers time and money in the long run.
- Deploying mitigations that address cybersecurity risk early and prior to exploitation. If possible, risks should be addressed before they are exploited. Not only will early action protect customers, it may also limit potential damage claims down the road. The FDA notes that “acceptable mitigations will vary according to the device’s essential clinical performance”—i.e., manufacturers should apply a sliding scale analysis. For example, the FDA notes that more significant mitigation may be necessary for a vulnerability affecting an insulin pump than one affecting a thermometer.
The FDA recognizes that even in the most sophisticated cybersecurity programs, vulnerabilities may arise and complete security is impossible. The FDA’s guidance focuses only on those vulnerabilities that may affect safety. Manufacturers should be cognizant that other issues beyond the scope of the draft guidance could become the focus of other regulating bodies and/or plaintiffs’ attorneys.
Reporting
The FDA document also provides some guidance to manufacturers with regard to reporting cybersecurity vulnerabilities and breaches to the FDA. Generally, the FDA does not plan to require premarket review or approval of “cybersecurity routine updates and patches” to medical device software.
Additionally, the FDA does not plan on requiring reporting when changes to a device are made to address vulnerabilities associated with controlled risks. Controlled risks are those that present “sufficiently low residual risk that the device’s essential clinical performance could be compromised by the vulnerability.” Reporting is also not necessary when these changes are implemented “solely to strengthen cybersecurity.” However, the FDA suggests that companies report newly acquired information about cybersecurity vulnerabilities and device changes made as part of a cybersecurity routine update or patch in an annual report when they concern a premarket approval (or Class III) medical device (one that supports or sustains human life).
The draft guidance provides a relevant example where manufacturers may not have to report an action to mitigate a controlled risk. In this example, a manufacturer becomes aware of an “open communication port” on its device. However, a design feature prevents unauthorized remote firmware from being downloaded onto the device. This requirement for physical access to the device substantially mitigates the threat; therefore, the risk is considered by the FDA to be controlled and acceptable. The manufacturer then enhances the device’s security by closing the open communication port and notifying users. These actions would be considered a cybersecurity routine update or patch and may not require reporting under federal standards. However, if this were a Class III device, the manufacturer would need to report the changes to the FDA in its annual report.
On the other hand, when manufacturers implement risk control measures to account for uncontrolled risks to essential clinical performance, the FDA’s view is different, and reporting might be necessary. However, the FDA does not intend to enforce these reporting requirements when: (1) there are no known serious adverse events or deaths associated with the vulnerability; (2) within 30 days, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users; and (3) the manufacturer is a participating member of an Information Sharing Analysis Organization (“ISAO”)[2], such as the National Health Information Sharing & Analysis Center.
The FDA’s drafters may have been Homeland fans as the guidance contains a familiar example where reporting may be necessary: a manufacturer becomes aware of a vulnerability in a Class III medical device (i.e. a pacemaker) that allows it to be reprogrammed by an unauthorized user. The manufacturer performs a risk assessment and concludes that the vulnerability is moderately exploitable and the risk to the device’s essential clinical performance is uncontrolled. The manufacturer notifies the relevant stakeholders and distributes an emergency patch to mitigate the risk. The manufacturer is not a member of an ISAO. Even if the manufacturer is unaware of any incidents, because this vulnerability could result in severe injury or death, reporting may be necessary.
Conclusion
Even in light of the FDA’s guidance, manufacturers will likely struggle to categorize risks associated with cybersecurity vulnerabilities. Consequently, determining reporting requirements (contingent on whether a risk is uncontrolled or controlled) may also present challenges unique to each medical device at issue. Manufacturers will be well served by factoring in the FDA guidance into their existing cybersecurity plans.
[1] The use of the word should in Agency guidance means that something is suggested or recommended, but not required.
[2] An “ISAO” is a group created to gather, analyze, and disseminate critical infrastructure information. See Exec. Order No. 13691 (Feb. 13, 2015).