Are you up-to-speed on the FDA's postmarket guidance for cybersecurity in medical devices? CSA Group explains everything you need to know.
Major advances in medical technologies over the last few decades have contributed to early diagnosis of diseases, more efficient delivery of treatment, and longer, healthier lives. Network-connected medical devices in particular are redefining 21st century healthcare. With many life-sustaining and life-supporting medical devices residing on hospital networks – and many more connected wirelessly – the risk for cyber-attack is high, and this could compromise a device’s functionality, personal information, and patients’ health and safety. Implementing cybersecurity measures for devices and the networks to which they connect is critical. That is why the Food and Drug Administration’s (FDA) Guidance on Postmarket Management of Cybersecurity in Medical Devices makes it very clear that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management plans.
Here are some main things you should know about FDA’s Postmarket Guidance:
It applies to any marketed and distributed medical device
These include:
- Medical devices that contain software, firmware, or programmable logic
- Software that is a medical device, including mobile medical applications
- Medical devices that are considered to be part of an interoperable system
- Legacy devices
It provides a risk management framework to detect, assess, report, and mitigate cyber threats
The FDA takes a holistic approach to cybersecurity by providing recommended measures across the entire product lifecycle, including when it’s in use. Since introducing postmarket guidance, medical device vendors have reported 400% more vulnerabilities per quarter – a sign of growing compliance, as identifying these vulnerabilities is the first step in managing the risk of an attack.[1] Manufacturers have also begun to patch some of the flaws.
Specific postmarket recommendations for manufacturers include:
- Having a way to monitor and detect cybersecurity in their devices
- Undertanding, assessing and detecting the level of risk a vulnerability poses to patient safety
- Establishing a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities
- Deploying mitigations, such as software patches, to address cybersecurity issues early, before they can be exploited and cause harm.
It identifies federal regulations for postmarket management
Effective cybersecurity risk management incorporates both premarket and postmarket life cycle phases to address cybersecurity needs from medical device conception to obsolenscence. Covering the entire product lifecyle will involve adhering to the following from the Code of Federal Regulations:
- 21 CFR part 820: Quality System Regulation requires manufacturers to establish quality systems that help ensure their products consistently meet applicable requirements and specifications. These quality systems are referred to as current good manufacturing practices.
- 21 CFR part 820.198: Complaint Handling identifies what consistutes an actual complaint and how it should be handled based on its origin. This includes incidents that could have resulted in harm or death of the patient, which would require immediate action, or a review of data that identified a problematic trend, which would require postmarket surveillance.
- 21 CFR part 820.22: Quality Audit requires that manufacturers establish procedures for quality audits and conduct those audits to assure the quality system is compliant. The regulation also states that individuals who do not have direct responsibility for the matters being audited, should perform the audits. There also requirements for documenting audit dates, results, and corrective actions (e.g. reaudits).
- 21 CFR part 820.100: Corrective and Preventive Action requires manufacturers to establish and maintain procedures for implementing corrective and preventive actions. Procedures should include requirements for identifying and investigating causes of nonconforming products, identifying corrective or preventive actions, verifying the efficacy of those actions, implementing and recording changes in methods or procedures, disseminating information related to quality problems, and submitting information for management review.
- 21 CFR part 820.30(g): Software Validation and Risk Analysis requires manufacturers to establish and maintain procedures for validating device design, including software where appropriate. The results, including identification of the design, methods, the date, and the individuals performing the validation, must be documented in the Design History File (DHF).
- 21 CFR part 820.200: Servicing requires manufacturer to establish and maintain instructions and procedures for servicing and verifying that the servicing meets specified requirements. Service reports must include important details such as the name of the device serviced, unique identifier or product code, date of service, the service performed, name of the individual servicing the device, as well as test and inspection data.
There are specific methods for applying the risk management framework
The exploitability of the cybersecurity vulnerability and the severity of patient harm are two critical factors in how the risk management framework is to be applied. The Common Vulnerability Scoring System (see image below) helps manufacturers evaluate the severity and potential impact of cybersecurity vulnerabilities and threats. The resulting score then informs the actions that need to be taken with respect to reporting and remediating the risks.
If there is no risk of patient harm or the risk can be controlled, then routine updates, patches, and enhancements will suffice. A Report of Corrections and Removals may be required for an uncontrolled vulnerability. However, if there are no adverse events, the vulnerability is remediated within the specified timeline, and the manufacturer is an active participant in an ISAO, then the report is not required.
Additional requirements and definitions for risk management of medical devices for manufacturers are found in the following standards:
- ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices; and
- AAMI TIR57: Principles for Medical Device Security—Risk Management
It recommends following the NIST Cybersecurity Framework
One of the FDA’s recommendations to manufacturers is that they apply the National Institute of Standards and Technology’s (NIST) core principles for improving critical infrastructure cybersecurity, which are already in use by over 30% of U.S. organisations.[2]
Managing the risk of a cyber-attack on a medical device can be challenging, even as more guidance documents and best practice frameworks emerge. A manufacturer’s strategy to assure the security of their medical device post-launch should include the services of an accredited third party that can verify compliance with key standards and regulations. CSA Group offers security testing verification, training, and security assurance certification and attestation for medical device manufacturers.
[1] Jessica Davis (January 24, 2019). “Improving Medical Device Security Beyond Patching, Traditional Tools”. Online: Health IT Security <www.healthitsecurity.com/news/improving-medical-device-security-beyond-patching-traditional-tools>
[2] Nantional Institute of Standards and Technology. Industry Impacts: Cybersecurity Framework. Online: <www.nist.gov/industry-impacts/cybersecurity>