The issue of cybersecurity has been on FDA’s radar in the last year, due in part to a Government Accountability Office report issued last August that urged FDA to consider the risk of intentional threats to device information security. Although the GAO report noted that FDA was not aware of any actual incident of device hacking, researchers have demonstrated the ability to remotely exploit devices such as implanted defibrillators and insulin pumps.
Addressing such threats, FDA has issued a draft guidance document entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” The draft guidance is intended to make “recommendations to consider and document in FDA medical device premarket submissions to provide effective cybersecurity management and to reduce the risk that device functionality is intentionally or unintentionally compromised.”
FDA outlines three general principles of cybersecurity that manufacturers should consider:
- Confidentiality of data, information, and systems;
- Integrity of data and information; and
- Availability of data, information, and information systems when needed.
According to the draft guidance, devices that connect with other devices, with the Internet, or with portable media could be more vulnerable to cybersecurity threats. Manufacturers will be expected to perform a hazard analysis for their particular devices.
The draft guidance makes specific recommendations of security features to consider and document in premarket submissions, including measures to limit access to trusted users, ensuring trusted content, and using fail safe and recovery features. The draft guidance also specifies the type of documentation that should be included in submissions to address cybersecurity issues, such as a traceability matrix that links cybersecurity controls to risks that were considered.
Although the guidance is geared toward premarket submissions, it may be useful for manufacturers of class I devices as well. Class I devices that are automated with computer software are subject to the design controls of the Quality System Regulation (QSR). FDA recommends several specific cybersecurity activities that manufacturers should consider as part of a risk assessment under the QSR.