- An effective medical device cybersecurity risk management program needs to include premarket and postmarket lifecycle phases, according to recent guidance from the Food and Drug Administration (FDA). Furthermore, cybersecurity should be addressed “from medical device conception to obsolescence.”
The FDA published the final version of its “Postmarket Management of Cybersecurity in Medical Devices,” which had been released in draft form in January 2016.
Medical device manufacturers are encouraged to consider potential cybersecurity risks and vulnerabilities “throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device,” the FDA explained.
“A growing number of medical devices are designed to be networked to facilitate patient care,” the guidance stated. “Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats.”
A proactive approach to cybersecurity risks can help reduce the overall risk to patients’ health, according to the report.
Collaboration is also essential, the FDA noted, and cybersecurity risk management is a shared responsibility among stakeholders such as medical device manufacturers, users, Information Technology (IT) system integrators, and health IT developers.
“Public and private stakeholders should collaborate to leverage available resources and tools to establish a common understanding that assesses risks for identified vulnerabilities in medical devices among the information technology community, healthcare delivery organizations (HDOs), the clinical user community, and the medical device community,” the guidance said.
Information sharing will also help ease potential medical device cybersecurity issues, the agency explained. When the medical device community shares cyber risk information, it “can enhance management of individual cybersecurity vulnerabilities and provide advance cyber threat information to additional relevant stakeholders.”
The FDA guidance specifically applies to any marketed and distributed medical device. This includes devices containing software, such as firmware, or programmable logic. Software that is a medical device, including mobile apps, will also be susceptible to the recent guidance. However, the guidance does not apply to investigational devices.
A cybersecurity vulnerability and management approach that is part of the software validation and risk analysis should also be established, the FDA wrote. Overall, the following elements should be included:
- Identification of assets, threats, and vulnerabilities
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients
- Assessment of the likelihood of a threat and of a vulnerability being exploited
- Determination of risk levels and suitable mitigation strategies
- Assessment of residual risk and risk acceptance criteria
The FDA also maintained that postmarket cybersecurity monitoring is also critical, as medical device cybersecurity risks are continuously evolving.
“It is essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with the Quality System Regulation,” the agency said.
This includes complaint handling, quality audit, corrective and preventive action, software validation and risk analysis, and servicing.
“Cybersecurity risk management programs should emphasize addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may result in patient harm,” the guidance stated. “Manufacturers should respond in a timely fashion to address identified vulnerabilities.
With addressing patient harm, the FDA said that the exploitability of the cybersecurity vulnerability and the severity of patient harm if the vulnerability were to be exploited should both be considered.
The FDA also admitted that it is impossible to completely secure medical devices and the surrounding network infrastructure. Also, just because a vulnerability exists, it does not necessarily mean that there will be patient harm.
“Rather it is the impact of the vulnerability on the safety and essential performance of the device which may present a risk of patient harm,” the FDA explained. “Vulnerabilities that do not appear to currently present a risk of patient harm should be assessed by the manufacturer for future impact.”
Finally, the FDA reviewed how organizations should approach remediating and reporting cybersecurity vulnerabilities.
“Based on the vulnerability assessment described in the previous section, the exploitability of an identified vulnerability and its severity of patient harm can help determine the risk of patient harm and can be categorized as either ‘controlled’ (acceptable residual risk) or ‘uncontrolled’ (unacceptable residual risk),” the guidance said. “When determining how to manage a cybersecurity vulnerability, manufacturers should incorporate already implemented compensating controls and risk mitigations into their risk assessment.”