Skip to content

Menu

ChannelsPublishersSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
ProductsSub-MenuBlogsPortalsTwentySyndicationMicrositesResource Center
Join
Search
Close
Join the Movement. Blog 4 Good

FDA Issues New Guidance for the Management of Cybersecurity in Medical Devices

By John Fuson, Jodi G. Daniel, Amber Mulcare & Brandon C. Ge on October 19, 2018
EmailTweetLikeLinkedIn

Yesterday, the FDA released draft guidance on the management of cybersecurity in medical devices submitted to the agency for premarket review. Noting that cybersecurity threats to the healthcare sector have increased in number and severity, the FDA offered new recommendations for device design, labeling, and documentation that medical device manufacturers will need to consider during premarket submission processes.

The guidance comes shortly after the FDA’s launch of its Medical Device Cybersecurity Playbook, which provides a framework for healthcare delivery organizations to use in preparing for and responding to cybersecurity threats against patient medical devices.

Given rapid changes in technology and increasing innovation in the digital health market, the guidance intends to decrease the risk of cyberattacks that could render medical devices inoperable and potentially harm patients. Comments on the draft guidance are due on March 18, 2019.

Identify, Protect, Detect, Respond, and Recover: Defining New Tiers of Risk

To aid medical device manufacturers in complying with the new recommendations for the design of secure devices, the FDA defines two tiers of devices according to their cybersecurity risk and updates the recommended documentation for all submissions.

Tier 1

Tier 1 “Higher Cybersecurity Risk” devices are defined as those that are capable of connecting, either wired or wirelessly, to another medical or non-medical product, to a network, or to the internet; and could directly result in patient harm to multiple patients if affected by a cybersecurity incident. The FDA notes that examples include “implantable cardioverter defibrillators (ICDs), pacemakers, left ventricular assist devices (LVADs), brain stimulators and neurostimulators, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.”

Tier 1 device manufacturers are recommended to include design documentation in their submissions to demonstrate that the device is trustworthy and secure. FDA recommends that manufacturers develop “trustworthy devices” using the NIST Framework for Improving Critical Infrastructure Cybersecurity and implementation of security controls to reduce cybersecurity risks. Manufacturers are recommended to consider and address 38 security controls in their documentation in order to demonstrate that any “medical device containing hardware, software, and/or programmable logic…(1) is reasonably secure from cybersecurity intrusion and misuse; (2) provides a reasonable level of availability, reliability, and correct operation; (3) is reasonably suited to performing its intended functions; and (4) adheres to generally accepted security procedures.”

Tier 2

Tier 2 “Standard Cybersecurity Risk” devices are those that do not fall under the criteria of Tier 1 devices. Though they may not be deemed to be “high risk” targets for cybersecurity attacks, Tier 2 devices highlight the FDA’s broad-based approach for reviewing all medical devices’ vulnerabilities and its recommendation that manufacturers analyze the risk of exploitability in all new devices.

Premarket submissions of Tier 2 devices should include documentation that the manufacturer incorporated all of the security controls recommended for Tier 1 devices, or provide the FDA with a risk-based rationale for why the controls are not appropriate.

This guidance marks a significant shift in how the FDA will review medical devices and the framework it utilizes to measure risk to patients. The current guidance, which was issued in 2014, contains only 14 security controls and significantly less documentation recommendations for manufacturers to consider.

Informing End-Users of Cybersecurity Risks

The guidance also focuses on the importance of informing end-users of security information through labeling to help mitigate cybersecurity risks. The guidance states that when drafting labeling for inclusion in a premarket submission, a manufacturer should consider all applicable labeling requirements and how informing users through labeling may be an effective way to manage cybersecurity risks.

The FDA provides recommended labeling instructions for manufacturers to consider when determining applicable labeling requirements. While many of the instructions appear to be aimed at healthcare technology management and information technology professionals, one specifically recommends providing a Cybersecurity Bill of Materials (CBOM) for users such as patients, providers, and healthcare delivery organizations. A CBOM lists all software and hardware components so that the user can prepare for cybersecurity threats by “effectively manag[ing] assets, understand[ing] the potential impact of identified vulnerabilities to the device (and the connected system), and deploy[ing] countermeasures to maintain the device’s essential performance.”

The new labeling guidance and the recommendations made in the Medical Device Cybersecurity Playbook indicate that the FDA seeks to increase the resiliency of healthcare delivery organizations against cyberattacks and prevent any disruption of patient care delivery.

Public feedback on the draft guidance may be submitted until March 18, 2019 via https://www.regulations.gov. Medical device manufacturers, particularly those in the digital health space, should analyze the impact of the updated guidance on their devices and take the opportunity to submit comments for FDA consideration. For further assistance, please contact Jodi Daniel (jdaniel@crowell.com) or John Fuson (jfuson@crowell.com).

Photo of John Fuson John Fuson

John Fuson is a partner in the firm’s Health Care, Product Risk Management (PRM), and White Collar and Regulatory Enforcement groups, focusing on U.S. Food and Drug Administration (FDA) enforcement and counseling matters.

Read more about John FusonEmail
Photo of Jodi G. Daniel Jodi G. Daniel
Read more about Jodi G. DanielEmail
Photo of Amber Mulcare Amber Mulcare

Amber Mulcare (CIPP-US) is an associate in Crowell & Moring’s Washington, D.C. office and a member of the firm’s Health Care and Privacy & Cybersecurity groups. She represents health insurance plans, health systems, major technology companies, government contractors, and other clients on a…

Amber Mulcare (CIPP-US) is an associate in Crowell & Moring’s Washington, D.C. office and a member of the firm’s Health Care and Privacy & Cybersecurity groups. She represents health insurance plans, health systems, major technology companies, government contractors, and other clients on a variety of digital health, privacy, and security matters.

Read more about Amber MulcareEmail
Show more Show less
Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is an associate in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy & Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is an associate in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy & Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.

Read more about Brandon C. GeEmail
Show more Show less
  • Posted in:
    Health Care
  • Blog:
    C&M Health Law
  • Organization:
    Crowell & Moring LLP
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Products

  • Products
  • Blogs
  • Portals
  • Twenty
  • Syndication
  • Microsites

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Fair Housing Defense
  • Health Care Law Brief
  • DSR Health Law Blog
  • Immigration View
  • Diving Deeper Into Work
Copyright © 2021, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog