Like many industries, progress within the medical field depends on innovation. This innovation has produced novel technologies and medical device improvements that rely increasingly on data storage, software, networks, and user devices. The scale and severity of cyberattacks are on the rise, and much like computers, these technologies are vulnerable to cybersecurity threats ranging from malware to hackers [1,2]. This phenomenon has led to the cybersecurity of medical devices becoming a hot topic within the industry. While networked medical devices and other mobile health technologies have the potential to expose patients and health care organizations to safety and security risks, devices such as, infusion pumps, ventilators, and pacemakers, are of particular concern, as compromised device functionality can result in patient illness, injury, or death [2,3].
Various regulatory and legislative bodies are working to minimize the risk of security breaches and maintain data privacy, while promoting medical device safety and efficacy. Among them is the FDA, who has developed two guidance documents that outline best practices for pre- and post-market cybersecurity for medical devices. The goal of these recommendations is to help stakeholders identify vulnerabilities and mitigate the risks associated with their device. The FDA defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient [4].”
FDA’s Guidance on Premarket Submissions for Management of Cybersecurity in Medical Devices
In October 2014, the FDA issued its final guidance that contains recommendations for an effective cybersecurity risk management framework, and instructions for pre-market submissions. Their goal is to ensure that manufacturers develop cybersecurity controls that will maintain medical device security, functionality, and safety. The Agency’s recommendations for cybersecurity are consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity, with the following core functions: Identify, Protect, Detect, Respond, and Recover. Medical device premarket applications should include a cybersecurity section, and the FDA will evaluate how manufacturers are mitigating risks.
Identify and Protect
The FDA recommends that manufacturers develop and evaluate the critical performance of their product so that they know how it must perform clinically to be safe and effective for its intended use. This approach can then be used to define and evaluate the cybersecurity risks for the device [1]. The security controls must protect the data, functionality, and performance of the device. These controls should be chosen by identifying the device’s intended use, presence/intent of electronic data interfaces, intended environment of use, cybersecurity vulnerabilities, the likelihood of exploitation, and the probability of patient harm due to a breach.
Detect, Respond, Recover
Manufacturers should ensure that mechanisms are in place to log breaches and protect the functionality of the device. The FDA recommends that manufacturers implement cybersecurity features that allow for security compromises to be detected, logged, and acted upon in a timely manner that protects critical function in the event of a breach, while also allowing retention and recovery of device configuration.
Cybersecurity Documentation
The guidance outlines the type of documentation the FDA recommends to be submitted in premarket submissions for medical devices. These recommendations are predicated on the implementation and management of a quality system in accordance with the Quality System Regulation (QSR).
The following information should be included in submission documentation:
1) Hazards analysis, mitigations, and design considerations, including all cybersecurity risks and all controls.
2) A traceability matrix that links cybersecurity controls to risks.
3) A plan for providing validated software updates and patches throughout the lifecycle of the medical device to maintain its safety and effectiveness.
4) A summary describing controls that maintain software integrity (e.g., remain free of malware), from the point of origin to the point at which that device leaves the control of the manufacturer.
5) Instructions for use and product specifications related to cybersecurity controls implemented in the intended use environment (e.g. anti-virus software, use of firewall, etc.).
FDA’s Draft Guidance on Post-Market Management of Cybersecurity in Medical Devices
The FDA’s recommendations for post-market management of cybersecurity risks in marketed medical devices was issued in a draft guidance in January, 2016. In addition to the recommendations included in the draft guidance, the FDA encourages manufacturers to address cybersecurity throughout the lifecycle of the product; during design, development, production, distribution, deployment, and maintenance of the device.
Post-market Considerations
Post-market security controls are necessary because it is impossible to mitigate all risks, as cybersecurity risks are constantly evolving. The FDA recommends that manufacturers implement cybersecurity risk management programs and documentation that is consistent with the QSR (21 CFR part 820), including: complaint handling, quality audits, CAPA, software validation & risk analysis, and servicing.
These risk management programs should focus on addressing vulnerabilities that may allow unauthorized access, modification, misuse/denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may impact patient safety.
Similar to the Pre-market recommendations, the FDA suggests that post-market cybersecurity programs incorporate elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover). The post-market draft guidance also covers topics such as: assessing severity to impact to health, recommended content to include in PMA periodic reports, and controlled/uncontrolled risk to essential clinical performance, which will not be discussed in this article.
Identify
a) Defining essential clinical performance: The FDA defines essential clinical performance as “performance necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer [5].” Manufacturers should define the essential clinical performance of their device, the resulting severity outcomes if compromised, and the risk acceptance criteria.
b) Identification of Cybersecurity Signals: The FDA defines cybersecurity signals as “any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device [5].” Manufacturers are encouraged to identify cybersecurity signals that might affect their product, and engage with the sources that report them. They should analyze complaints, returned product, service records, and other sources of quality data, to help identify existing or potential problems.
Protect/Detect
a) Vulnerability Characterization and Assessment: The FDA recommends that manufacturers characterize and assess identified vulnerabilities in order to provide information that will aid manufacturers to triage remediation activities.
b) Risk Analysis and Threat Modeling: This recommendation suggests that manufacturers conduct cybersecurity risks analyses that include threat modeling for each of their devices and to update those analyses over time.
c) Analysis of Threat Sources: Manufacturers should analyze possible threat sources. This analysis seeks to identify risk introduced by an active adversary.
d) Incorporation of Threat Detection Capabilities: Because some devices aren’t capable of detecting threat activity by themselves, manufacturers should consider incorporating design features that establish/enhance the ability of the device to detect and produce forensically sound post-market evidence captured in the event of a cyberattack.
e) Impact Assessment on All Devices: Manufacturers should establish a process that assesses the impact of a cybersecurity signal horizontally and vertically.
• Horizontally: determine if there is an impact across all medical devices within the manufacturer’s product portfolio (aka variant analyses).
• Vertically: determine if there is an impact on specific components within the device.
Respond/Recover
a) Compensating Controls Assessment: The FDA recommends manufacturers implement device-based features as a primary mechanism to mitigate the impact of a vulnerability to essential clinical performance.
b) Risk Mitigation of Essential Clinical Performance: Manufacturers should determine if the vulnerability risk levels to the essential clinical performance are adequately controlled by the existing device features and/or manufacturer defined compensating controls.
Note: The FDA considers routine cybersecurity updates and patches as device enhancements, not recalls. Additionally, changes that do not impact the essential clinical performance of the device while improving performance and quality are also considered device enhancements, not recalls. For further information, see FDA’s guidance titled: Distinguishing Medical Device Recalls from Medical Device Enhancements.
References:
1. Hogan Lovells LLP & Medical Device Manufacturers Association. (2016, June 16). Managing Cybersecurity Challenges for Medical Devices [Webinar]. Retrieved from: https://www.youtube.com/watch?v=M6gFnSWBtpc&feature=youtu.be
2. McGee, M. (2014). Ramping Up Medical Device Cybersecurity. Retrieved from: http://www.govinfosecurity.com/ramping-up-medical-device-cybersecurity-a-7360
3. Deloitte Development LLC. (2013). Networked Medical Device Cybersecurity and Patient Safety: Perspectives of Healthcare Information Cybersecurity Executives. Retrieved from: http://www2.deloitte.com/content/dam/Deloitte/us/Documents/life-sciences-health-care/us-lhsc-networked-medical-device.pdf
4. U.S. Food and Drug Administration. (2014). Content of Premarket Submission for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff. Retrieved from: http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pdf
5. U.S. Food and Drug Administration. (2016). Postmarket Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff. Retrieved from: http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidan
