On January 22, 2016, the U.S. Food and Drug Administration issued draft guidance for the medical device industry. The guidance outlines the steps medical device manufacturers should take to monitor, identify, and address the postmarket cybersecurity risks inherent in medical devices containing software or programmable logic, and in software that is a medical device.

The FDA is seeking public input, and the comment period will remain open for 90 days.

Calling cybersecurity threats to medical devices “a growing concern,” the FDA urges device manufacturers to improve cybersecurity risk management throughout the product lifecycle in a manner commensurate with the evolving cyber threat.

The guidance focuses in particular on the steps medical device companies should take to assess and mitigate cybersecurity vulnerabilities after their products go to market. Although the guidance is nonbinding, the FDA’s recommendations in effect create new postmarket cybersecurity standards for reasonable behavior.

CURE member Wiggin and Dana has provided the following advisory.

Cybersecurity Risk Management Programs Are Essential.The guidance states that it is “essential” for device manufacturers to implement cybersecurity risk management programs and documentation that address postmarket complaint handling, quality audit, corrective and preventative action, software validation and risk analysis, and servicing, consistent with the Quality System Regulation (21 CFR part 820). The guidance also identifies the following “critical components” of an effective cybersecurity risk management program:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  •  Understanding, assessing, and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining “essential clinical performance” so that potential compromise of essential clinical performance can be identified and mitigation strategies developed that protect, respond, and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigation strategies that address cybersecurity risk early and prior to exploitation.

Follow the NIST Cybersecurity Framework. The guidance further explains that a cybersecurity risk management program for a medical device should cover both its premarket and postmarket phases. To accomplish cybersecurity across a product’s lifecycle, the FDA strongly encourages manufacturers to develop their cybersecurity risk management programs using the Cybersecurity Framework developed by the National Institute of Standards and Technology (“NIST”). The NIST Cybersecurity Framework is a voluntary, risk-based tool that outlines five core functions (Identify, Protect, Detect, Respond, and Recover) related to cybersecurity risk.

The guidance includes an appendix that walks through the Framework’s core elements in the context of a medical device manufacturer’s cybersecurity risk management program. According to the guidance, medical device companies should use the Framework to develop programs that include methods for (1) identifying, characterizing, and assessing cybersecurity vulnerabilities; (2) analyzing, detecting, and assessing threat sources; and (3) adopting device-based features and compensatory controls to address unacceptable risk.

See complete Draft Guidance document here
See related article re the Cybersecurity Act of 2015 here