Posted 15 January 2016
By Zachary Brennan
The prospect of a hacker or software vulnerability in a medical device causing serious harm to patients is pushing the US Food and Drug Administration (FDA) to require manufacturers to report a small subset of cybersecurity vulnerabilities that could compromise the clinical performance of a device, according to draft guidance released Friday.
The draft guidance is meant to clarify FDA’s postmarket recommendations, particularly for monitoring, identifying and addressing cybersecurity vulnerabilities and exploits as part of their postmarket management.
“For a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the Agency,” according to the guidance.
However, the presence of a vulnerability does not necessarily trigger patient safety concerns, but FDA says what matters is the impact of the vulnerability on the essential clinical performance of the device whether it could trigger a safety issue.
The agency goes into depth on how to conduct a cyber-vulnerability risk assessment to evaluate whether the risk is part of the essential clinical performance of the device and whether it’s controlled (acceptable) or uncontrolled (unacceptable).
“One method of assessing the acceptability of risk to essential clinical performance is by indicating in a matrix in which combinations of ‘exploitability’ and ‘severity impact to health’ represent risks that are controlled or uncontrolled,” FDA says. “A manufacturer can then conduct assessments of the exploitability and severity impact to health and then use such a matrix to assess the risk to essential clinical performance for the identified cybersecurity vulnerabilities. For risks that remain uncontrolled, additional remediation should be implemented.”
FDA offers some in-depth examples in the draft of vulnerabilities associated with controlled and uncontrolled risks and what must be remediated and responded to.
As far as vulnerabilities associated with controlled risk and their management, FDA points to two examples where a manufacturer is notified of an open, unused communication port by the US Department of Homeland Security Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) and when a manufacturer receives a user complaint that a recent security software scan of the PC component of a Class III medical device has indicated that the PC is infected with malware.
In the case of the open, unused communication port, if the manufacturer finds that the threat is “mitigated substantially by the need for physical access due to this device feature and the residual risk is considered ‘acceptable,’” the company should just update the device’s security by taking steps to close the unused communication port(s) and inform device users. Such an example is considered a cybersecurity routine update or patch and may not require reporting to FDA.
In the case of the malware, if the manufacturer discovers that the device’s essential clinical performance is not impacted by the malware’s collection of internet browsing information, the manufacturer does not need to report the software update to the FDA, though FDA should be notified of the update in an annual report if the device is Class III.
And even if a manufacturer is made aware of open, unused communication ports and they are part of an uncontrolled risk, and the manufacturer identifies and implements compensating controls to bring the residual risk to an acceptable level and notifies users within 30 days of becoming aware of the vulnerability, “FDA does not intend to enforce the reporting requirements under 21 CFR part 806.”
However, if a manufacturer becomes aware of a vulnerability via a researcher that its Class III medical device (e.g., implantable defibrillator, pacemaker, etc.) can be reprogrammed by an unauthorized user, and this vulnerability could result in permanent impairment, a life-threatening injury or death, and the device’s design cannot mitigate the vulnerability, the manufacturer should notify appropriate stakeholders, distribute a validated emergency patch and report this action to FDA.
In addition, if a vulnerability is known to the security community, yet unknown to a medical device manufacturer, and is incorporated into a Class II device during development and the manufacturer becomes aware of the vulnerability and cannot mitigate the risk, even if no device failures or patient injuries have been reported, but the company’s risk assessment concludes that the risk to essential clinical performance is controlled with additional mitigation and it took action to mitigate the risk within 30 days of learning of the vulnerability and is a participating member of an Information Sharing and Analysis Organization, FDA does not intend to enforce compliance with the reporting requirement.
In another example, FDA explains that if a hospital reports that a patient was harmed after a medical device failed to perform as intended and the manufacturer investigation determines that the device malfunctioned as a result of exploitation of a previously unknown software vulnerability, the manufacturer should file a report to notify FDA.
Draft Guidance on Postmarket Management of Cybersecurity in Medical Devices