On January 15, 2016, the U.S. Food and Drug Administration (“FDA”) released draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” outlining recommendations to medical device manufacturers for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The FDA stresses that an effective cybersecurity risk management program should address potential cybersecurity risks throughout the product’s entire lifecycle. The draft guidance addresses the shared concerns of the FDA, manufacturers, providers, and consumers about the risks to the safety and efficacy of medical devices and private patient data and the difficulties in detecting new cybersecurity threats. The 2016 draft guidance builds on premarket approval cybersecurity risk management recommendations published by the FDA in its 2014 guidance.
The draft guidance adds to a larger government initiative to protect and bolster the country’s cybersecurity infrastructure. In February 2013, the President issued Executive Order 13636, which called on stakeholders to strengthen the cybersecurity of critical systems, especially those within the healthcare sector, and Presidential Policy Directive 21, which tasked federal government entities to enhance the security and resilience of key infrastructure against cyber threats. The draft guidance also includes the cybersecurity framework (i.e., identify, protect, detect, respond and recover) developed by the National Institute of Standards and Technology (“NIST”) in response to Executive Order 13636.
Manufacturers should carefully assess the draft guidance and consider its potential impact. The comment period will remain open until April 21, 2016.
Draft Guidance on Postmarket Medical Device Cybersecurity Management Program
The draft guidance recommends that manufacturers develop and implement comprehensive cybersecurity risk management programs that would:
- Monitor cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understand, assess, and detect presence and impact of a vulnerability;
- Establish and communicate processes for vulnerability intake and handling;
- Cleary define essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk;
- Adopt a coordinated vulnerability disclosure policy and practice; and
- Deploy mitigations that address cybersecurity risk early and prior to exploitation.
Evaluating Cybersecurity Vulnerabilities
The draft guidance recommends that manufacturers implement a process for objectively assessing the cybersecurity risk to the device’s essential clinical performance by considering two factors: (1) the exploitability of the cybersecurity vulnerability; and (2) the severity of the health impact to patients if the vulnerability were exploited.
The FDA recognizes that in many cases, it is difficult to estimate the probability of a cybersecurity vulnerability and suggests using cybersecurity vulnerability assessment tools or a scoring system that rates vulnerabilities to help determine the necessity and urgency for a response.
The draft guidance recommends that manufacturers make a binary determination as to whether a risk to the essential clinical performance of the device is “controlled” (acceptable residual risk) or uncontrolled (unacceptable residual risk) using a process that is tailored to the specific product, its essential clinical performance, and the situation.
Remediating and Reporting Cybersecurity Vulnerabilities
The draft guidance focuses on situations where there is an uncontrolled or high risk to the essential clinical performance of a device, as opposed to a controlled or sufficiently low risk, and provides recommendations to address vulnerabilities in that situation, such as:
- Remediate vulnerabilities to bring the risk down to an acceptable level;
- Identify and implement risk mitigations and compensating controls, such as a work-around or temporary fix, when an official fix is not feasible or immediately practicable in order to sufficiently reduce the risk;
- Assess device changes to see if there is a need to send a premarket submission (e.g., PMA supplement, 510(k), etc.) to the FDA;
- Include remediation of devices that require reporting (e.g., Class III devices) in the annual report;
- Notify customer base and user community of relevant information on recommended work-arounds, temporary fixes, and residual cybersecurity risks so they can take proactive and appropriate measures to reduce the risk and make informed decisions regarding device use;
- Report information concerning cybersecurity vulnerabilities, device changes made in response to the cyber threats, and controls implemented after detection of the threat to the FDA in an annual report. More information on content to include in the report is mentioned below. These requirements apply if the product is a premarket approval (“PMA”) device with reporting requirements under 21 CFR 814.84; and
- Report cyber vulnerabilities to the FDA per 21 CFR part 806, unless reported under 21 CFR parts 803 or 1004. Exceptions to the reporting requirements are detailed below.
Where a device manufacturer fails to remediate an uncontrolled risk to a device, the device may be considered to have a reasonable probability of a serious adverse effect or death and may be considered in violation of the Federal Food, Drug, and Cosmetic Act and subject to enforcement actions.
Notably, the draft guidance states that manufacturers of devices will not have to submit reports or updates to the FDA regarding routine software fixes in most cases, as these are considered device enhancements, and instead, device makers could submit this information in their annual reports. Additionally, the FDA does not require reporting where: (1) there are no serious adverse effects or death due to the vulnerability; (2) within 30 days of learning of the vulnerability, the manufacturer identifies and enacts device changes to mitigate some of the risk and notifies users; and (3) the manufacturer is a member of an Information Sharing Analysis Organization (“ISAO”).
However, where there is a cybersecurity threat or breach that compromises the essential clinical performance of a device or presents a reasonable chance of serious adverse health effects or death, the FDA requires manufacturer notification.
Recommended Content to Include in PMA Periodic Reports
The draft guidance recommends that premarket approval devices that are subject to periodic reporting requirements should include the following information in their annual reports:
- A brief description of the vulnerability prompting its change including how the firm became aware of the vulnerability;
- A summary of the conclusions of the firm’s risk assessment including whether the risk to essential clinical performance was controlled or uncontrolled;
- A description of the change(s) made, including a comparison to the previously approved version of the device;
- The rational for making the change;
- Reference to other submissions/devices that were modified in response to this same vulnerability;
- Identification of event(s) related to the rationale/reason for the change (e.g., MDR number(s), recall number);
- Unique Device Identification (UDI) should be included, if available;
- A link to an ICS-CERT advisory, if applicable;
- The date and name of the ISAO to which the vulnerability was reported, if any; and
- Reference to other relevant submission, if any, or the scientific and/or regulatory basis for concluding that the change did not require a submission.
The FDA has stressed the importance of continual assessment by device manufacturers for the cybersecurity risks affecting a device due to the evolving nature of cyber attacks. Therefore, device manufacturers should monitor their products for an ongoing basis over the entire lifecycle of the product. Furthermore, manufacturers need to take a proactive and preventive approach to cybersecurity measures for their devices in order to stay ahead of continually growing cybersecurity threats and to reduce risks to patient safety.
 These programs and related documentation must be consistent with the Quality System Regulation (21 CFR part 820), including, for example, complaint handling (21 CFR 820.198), quality audit (21 CFR 820.22), corrective and preventive action (21 CFR 820.100), software validation and risk analysis (21 CFR 820.30(g)), and servicing (21 CFR 820.200).
 One such tool recommended by the FDA is the “Common Vulnerability Scoring System” Version 3.0 that provides a numerical rating system for vulnerabilities based on a number of factors such as remediation level and attack complexity.
 On February 13, 2015, the President issued Executive Order 13691 to encourage the development of ISAOs to serve as hubs for cybersecurity information sharing. ISAOs gather, analyze, and exchange information about cybersecurity risks and adverse events that their members experienced to prevent future cybersecurity threats. ISAOs include members from the private and public sectors and across industries.
*Krishna Kavi is only admitted to practice law in the state of New York. Her practice is supervised by principals of the firm admitted in the District of Columbia.