Share this article on:
This month the Food and Drug Administration (FDA) has finalized its guidelines on the development of management strategies covering cybersecurity, the use of medical device and requirements for premarket submissions. The document is titled: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, and is available on the FDA website.
The document is essential reading for any medical device manufacturer to ensure future premarket submissions are accepted, and that steps are taken to ensure current medical devices being produced adhere to the new guidelines.
The guidelines were prepared to force manufacturers to take the potential risk of cyber attacks into consideration and to incorporate appropriate security measures and safeguards to reduce the risk of susceptibility of attack and of device failure.
The FDA identified potential vulnerabilities which could lead to the loss or theft of private data, although the agency has so far not released any information on specific injuries caused by cyber attacks. The presence of spyware/malware on doctors or hospital computers along with slow installation of operating system security updates were raised as the main areas of concern, especially when older medical devices are in use.
In recent months there have been a number of initiatives taken by the government to reduce the risk of data theft and cyber attacks involving a general strengthening and bolstering of cybersecurity measures as laid out in the Executive Order 13636 and the Presidential Policy Directive 21. Both of these directives are aimed at augmenting defenses and improving resilience against cyber attacks to protect the nation’s critical infrastructure.
FDA Guidelines on the Management of Cybersecurity
The guidelines have built on the NIST framework introduced in February this year which was developed to assist organizations create and implement effective cybersecurity programs.
Manufacturers of medical devices are required to consider cybersecurity during the design and development process and when preparing premarket submissions. These considerations should involve design inputs to reduce vulnerability to cyber attacks and should be incorporated under a Quality System Regulation risk analysis.
The guidelines are flexible and security controls should be applied as appropriate, depending on the nature of the medical device, its intended use and the cybersecurity risk. Probable injury, damage or loss caused by any breach in cybersecurity should also be given due consideration. The FDA has also categorized security controls under five core functions: Identify, Protect, Detect, Respond, and Recover.
Following on from the issuing of the draft guidelines, trade groups and product manufacturers agreed that information relating to cybersecurity should now be included in history files of device design, although it was argued that the inclusion of this information with premarket submissions was unnecessary. However, the FDA has decided that cybersecurity is part of the design process and would be measured along with the effectiveness of the product. In particular, device manufacturers should conduct and include a hazard analysis relating to the cybersecurity risk, a traceability matrix linking risks to control measures and a strategy for updating software and providing firmware upgrades and patches throughout the typical lifespan of the product.
Confidentiality considerations have been deemed to be of less concern than previously thought and a section has been removed from the final guidelines which was present in the draft./ This relates to “confidentiality, integrity, and availability” of the device and that manufacturers should assure this. The change is believed to be due to this falling outside the remit of the FDA, with issues of accountability addressed by other government agencies or covered under HIPAA Security and Privacy Rules.
Medical device manufacturers have been sent a clear message: Cybersecurity is a major concern and questions will be asked about the steps taken to reduce vulnerabilities. Evidence of the actions taken by device manufacturers to reduce risk will be required to support premarket submissions.
An assessment of risks must be performed which should include those risks that cannot be eliminated or negated by security control measures implemented by the manufacturer. This suggests that the FDA appreciates that cybersecurity is a shared responsibility and users and purchasers of the devices must also take action to reduce the risk of cyber attack and loss or theft of confidential data.