Drawing on the increasing use of wireless, Internet- and network-connected medical devices, the Food and Drug Administration (“FDA” or “the Agency”) issued a draft guidance document for comment on June 14, 2013, proposing that manufacturers of medical devices that contain software, firmware, or programmable logic, address cybersecurity risks in premarket submissions. The draft guidance, entitled, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, (“Cybersecurity Guidance”), represents the Agency’s most direct and recent effort to address the potential risks of compromised medical device functionality due to intentional or unintentional cyber-attacks. While FDA has stated that it is aware of hundreds of instances of such breaches, the Agency is not aware of any deaths or serious injuries resulting from these breaches.
In conjunction with the draft guidance, FDA issued a safety communication on its website addressing not only medical device manufacturers, but hospitals, medical device user facilities, and health care IT and procurement staff, recommending that these facilities also take steps to ensure that safeguards are place to reduce the risks of medical device failures resulting from cybersecurity breaches, and report such failures.
With the increasing use of wireless, Internet- and network-connected medical devices, along with the frequent electronic exchange of medical device-related health information, the Cybersecurity Guidance recommends that medical device manufacturers develop security controls to safeguard the confidentiality, integrity, and availability of information so as to reduce the potential for cyber-attacks (i.e., the unauthorized modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient) that can result in patient illness, injury, or death. As part of this effort, FDA is recommending that manufacturers consider cybersecurity issues during the design phase of the medical device development process. Specifically, FDA is recommending that manufacturers define and document components of a cybersecurity risk analysis and management plan as part of the overall risk analysis required under 21 C.F.R. 820.30(g). Per the guidance, the key components of a cybersecurity risk analysis would include: (1) identification of assets, threats, and vulnerabilities; (2) impact assessment of threats and vulnerabilities on device functionality; (3) assessments of the likelihood of threats and of a vulnerability being exploited; (4) determination of risk levels and mitigation strategies; and (5) residual risk assessments and risk acceptance criteria.
FDA is proposing a risk-based approach to the type and extent of controls that a manufacturer may need to put in place, noting that the extent and type of controls will depend on the medical device at issue, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach. While it is unclear at this time what cybersecurity controls and measures may be acceptable for different types of medical devices and use environments, the Cybersecurity Guidance notes that medical devices that connect to other medical devices, the Internet or other networks, or portable media (e.g. USB or CD) are more vulnerable to cybersecurity threats than devices that are not connected, suggesting that FDA will expect to see more robust controls for devices with such capabilities.
Security control methods that manufacturers might consider employing, per the Cybersecurity Guidance, include the following, among others:
- Limiting access to devices via authentication features;
- Using layered authorization models based on the role of the user;
- Using physical locks on devices to prevent tampering;
- Restricting software updates to authenticated code;
- Securing data transfer and use of encryption methods;
- Implementation of fail-safe device features, particularly for critical functionalities; and
- Use of features that allow for security compromises to be recognized, logged, and acted upon.
Per the draft guidance, FDA would expect medical device manufacturers to submit information related to cybersecurity in 510(k) Notifications, De Novo petitions, Premarket Approval Applications (PMAs), Product Development Protocols (PDPs), and Humanitarian Device Exemption (HDE) submissions, including the following:
- Hazard analysis, mitigations, and design considerations addressing intentional and unintentional cybersecurity risks, including:
- A list of all cybersecurity risks considered in the design of the device;
- A list and justification for all cybersecurity controls established.
- Traceability matrix that links cybersecurity controls to the cybersecurity risks that were considered;
- Systematic plan for providing validated updates and patches to operating systems or medical device software, as needed, to provide up-to-date protection and to address the product life-cycle;
- Appropriate documentation to demonstrate that the device will be provided to purchasers and users free of malware; and
- Device instructions for use and product specifications related to recommended anti-virus software and/or firewall use appropriate for the environment of use.
Safety Communication Calls on Hospitals to Assess Cybersecurity
In conjunction with the draft guidance which would require manufacturers to design-in appropriate controls to address cybersecurity issues going forward and submit such information in premarket submissions, FDA also issued a safety communication on its website. The communication, while addressed to medical device manufacturers, also targets hospitals, medical device user facilities, and healthcare IT and procurement staff. The safety communication recommends that these facilities take steps to ensure that safeguards are in place now to reduce the risks of medical device failures resulting from cybersecurity breaches.
For healthcare facilities and hospital systems specifically, where the networked systems may not be subject to a premarket submission, FDA is recommending that such entities evaluate their network security and take appropriate steps to protect the networked systems, such as restricting access to the network and/or networked medical devices, monitoring use of the network to identify unauthorized use, employing anti-virus software and firewalls, routinely updating security patches, and developing strategies for maintaining critical functionalities in the event of a security breach.
Notably, while the high-level recommendations to medical device manufacturers set forth in the safety communication mirror those found in the Cybersecurity Guidance, the safety communication advises medical device manufacturers that FDA does not typically expect to review software modifications implemented solely to strengthen cybersecurity. In other words, apart from a major modification, should a manufacturer determine that a minor software update to an existing device would be prudent to increase security of the device, such modification may not trigger the need for a new 510(k) submission.
While much of the information in this guidance has not been previously publicly communicated to the device industry and interested parties, the issue of cybersecurity is one that is well known to much of the device industry. Those companies with devices that are susceptible to catastrophic consequences through cyber-attacks have traditionally taken measures to assure the safety of their products. The new guidance adds some structure to the already existing protective steps taken by industry and should lead to more standardization in the protective measures initiated by the device industry. Moreover, the guidance should allow for more open and fruitful discussions with the agency as to FDA’s expectations for what should be included in cybersecurity design features and the submissions to FDA relating to security measures proposed by the premarket clearance/approval applicants.
Interested parties may submit written or electronic comments on the draft guidance by September 12, 2013. Electronic comments can be submitted at http://www.regulations.gov. Written comments can be submitted to the Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD, 20852.