It seems that everything in our life is getting connected to the Internet. We now live in an age where household items like refrigerators have Internet-connected LCD screens and privacy experts talk about the so-called “Internet of Things.” Medical devices are increasingly becoming connected as well, and like any connected device, they are at risk of getting hacked. In 2014, the U.S. Food and Drug Administration (“FDA”) released final guidance recommending that device manufacturers consider cybersecurity risks when designing and developing their devices. Last month, FDA released separate draft guidance with recommendations for how companies should address the cybersecurity of medical devices after they are released into the market.
Principles of a Postmarket Cybersecurity Management Program
The cornerstone of FDA’s cybersecurity guidance for industry — in both the premarket and postmarket context — is the development of a risk management program. In its new guidance, the FDA identifies a number of critical components that should be included in the device manufacturer’s postmarket risk management program. These include:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understanding, assessing, and detecting presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
Essential Clinical Performance
The fourth component mentioned above introduces a concept that is central to the guidance: “essential clinical performance.” As noted by FDA, the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches.” In these cases, the FDA would not require advance notification, premarket review or reporting under its regulations. However, a small subset of vulnerabilities and exploits may, according to the draft guidance, compromise the essential clinical performance of a device and thus present a reasonable probability of serious adverse health consequences or death. In these circumstances, FDA would require the manufacturer to notify the agency. FDA defines essential clinical performance as “performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer.”
According to the draft guidance, manufacturers should define the essential clinical performance of their device, the resulting severity outcomes if compromised, and the risk acceptance criteria. Manufacturers should conduct this analysis in an objective manner by considering two factors:
- The exploitability of the cybersecurity vulnerability; and
- The severity of the health impact to patients if the vulnerability were to be exploited.
FDA acknowledges that objectively assessing the exploitability of a device is difficult, especially if there is an absence of data. Instead of using conventional medical device risk management approaches, FDA suggests that manufacturers consider using a cybersecurity vulnerability assessment tool or similar scoring system, such as the Common Vulnerability Scoring System. In terms of objectively assessing the severity of the health impact, moreover, FDA recommends that manufacturers use the qualitative severity levels described in the International Standard Organization’s Standard for the application of risk management to medical devices.
Controlled vs. Uncontrolled Risks
According to FDA, a key purpose of conducting the above assessment is to evaluate whether the risk to essential clinical performance of the device is controlled (acceptable) or uncontrolled (unacceptable). One method of assessing the acceptability of risk to essential clinical performance is by indicating in a matrix which combinations of “exploitability” and “severity impact to health” represent risks that are controlled or uncontrolled. The draft guidance contains an example of an approach that could be used to assess the risk to the device’s essential clinical performance:
As is apparent from the matrix above, not every assessment will yield a black or white result. FDA acknowledges this grey area, but nevertheless recommends that manufacturers make a binary determination that a vulnerability is either controlled or uncontrolled. The result of this binary determination is crucial: if a manufacturer concludes that there is uncontrolled risk to their device’s essential clinical performance, FDA expects the manufacturer to report these vulnerabilities to FDA according to 21 C.F.R. 806 (mandatory reports of product corrections or removals). At the same time, the FDA has also decided to exercise discretion in this area, and it does not intend to enforce these reporting requirements if:
- There are no known serious adverse events or deaths associated with the vulnerability;
- Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users; and
- The manufacturer is a participating member of an Information Sharing Analysis Organization (“ISAO”), such as the National Health Information Sharing & Analysis Center.
The fact that FDA makes participation in an ISAO a condition of the agency’s discretionary enforcement sends a strong message to device manufacturers that cooperation across the industry is a critical component of postmarket cybersecurity. To this end, the agency recently held a public workshop to discuss these issues, which we plan to highlight in a future blog post. In the meantime, interested parties can submit comments on the new cybersecurity draft guidance until April 21, 2016.