Just before the close of 2016, the US Food and Drug Administration (FDA) finalized its guidance for managing postmarket cybersecurity for connected medical devices.
While the core principles of the guidance are largely similar to the draft version released in January 2016, FDA has made a number of changes to the guidance pertaining to cybersecurity vulnerability disclosure, remediating and reporting vulnerabilities, and participation in Information Sharing Analysis Organizations (ISAOs).
FDA details its framework for manufacturers to implement a comprehensive postmarket cybersecurity risk management program and establishes criteria for reporting cybersecurity vulnerabilities based on the risk they pose to patients.
According to Suzanne Schwartz, associate director for science and strategic partnerships at the Center for Devices and Radiological Health, device manufacturers must view cybersecurity as part of their product's total lifecycle.
"Manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients," Schwartz writes.
In the final guidance, FDA has expanded the list of critical components of a cybersecurity risk management program to include considerations for software lifecycle processes, including monitoring third party software for new vulnerabilities and verifying and validating any software updates or patches meant to address vulnerabilities.
FDA also makes clear in final guidance that it has recognized two International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standards, ISO/IEC 30111:2013: Information Technology Techniques – Vulnerability Handling Processes and ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure, which the agency points to as additional resources for manufacturers.
Patient Harm vs. Essential Clinical Performance
Throughout the guidance, references to a device's "essential clinical performance" have been changed to reflect the risk of patient harm, including injury or death, posed by cybersecurity threats.
This shift is most prominent in the "General Principles" section, where the subsection on essential clinical performance has been replaced by a section that focuses primarily on mitigating patient harm.
Additionally, while noting that other types of harm, such as the loss or compromise of protected health information (PHI) are not covered by the guidance, FDA says it recommends that manufacturers "consider protecting the confidentiality of such information as part of their overall comprehensive risk management program."
Vulnerability Disclosure and Reporting
Another change in the final guidance is FDA's recommendation for manufacturers to implement a disclosure policy that "includes acknowledging the receipt of the initial vulnerability report to the vulnerability submitter."
This change is likely to address concerns from cybersecurity researchers who have often complained that companies have been unresponsive after receiving a vulnerability report for one of their products.
The final guidance also includes clarifications for when manufacturers should report cybersecurity vulnerabilities to FDA.
As in the draft version of the guidance, FDA says that in many cases, manufacturers will not need to report actions taken to enhance a device's cybersecurity or address cybersecurity vulnerabilities, except in "a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may result in patient harm."
For vulnerabilities that pose a "controlled" risk, FDA has added new examples of situations where changes to a device would be considered a "routine update or patch" and not be subject to reporting requirements under 21 CFR Part 806.
However, FDA has also amended its list of criteria that must be met in order for manufacturers to avoid reporting uncontrolled vulnerabilities.
Specifically, FDA has fleshed out the actions manufacturers must take within 30 days of learning of a vulnerability, while giving manufacturers up to 60 days to fix the vulnerability, validate a product change or distribute the fix to customers.
Lastly, FDA has added a section detailing its definition of "active participation" in an ISAO.
In the draft guidance, FDA recommended manufacturers participate in an ISAO, and required active participation in an ISAO in order to avoid reporting certain cybersecurity related actions to the agency.
However, one of the criticisms of the draft guidance was that the agency did not clearly define what constitutes active participation.
Now, FDA says it considers a company to be an active participant in an ISAO if it meets the following criteria:
- "The manufacturer is a member of an ISAO that shares vulnerabilities and threats that impact medical devices;
- The ISAO has documented policies pertaining to participant agreements, business processes, operating procedures, and privacy protections;
- The manufacturer shares vulnerability information with the ISAO, including any customer communications pertaining to cybersecurity vulnerabilities; and
- The manufacturer has documented processes for assessing and responding to vulnerability and threat intelligence information received from the ISAO. This information should be traceable to medical device risk assessments, countermeasure solutions, and mitigations."
FDA, FDA Voice