FDA proposes cybersecurity guidance for medical devices

18 January 2016

The U.S. Food and Drug Administration has issued draft guidelines to medical device makers on how to protect patients from cybersecurity vulnerabilities in their devices. The draft guidance, which is not legally binding, recommends companies take a number of actions, including monitoring and assessing risk, coordinating efforts by companies, government and other groups do disclose vulnerabilities, and taking measures to address cybersecurity risk early.

Most cybersecurity vulnerabilities are considered routine and can be remedied by updates or patches which would not need to be reported under the proposed guidance, the agency said. Companies would be required to report vulnerabilities that could compromise clinical performance of the device and risk a patient's health.

The guidance covers how companies should monitor devices once they have been cleared for marketing. The agency previously issued guidance for companies still in the development stage to help inform design choices. The draft guidance is meant to clarify FDA’s postmarket recommendations, particularly for monitoring, identifying and addressing cybersecurity vulnerabilities and exploits as part of their postmarket management.

“For a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the Agency,” according to the guidance.

However, the presence of a vulnerability does not necessarily trigger patient safety concerns, but FDA says what matters is the impact of the vulnerability on the essential clinical performance of the device whether it could trigger a safety issue. The agency goes into depth on how to conduct a cyber-vulnerability risk assessment to evaluate whether the risk is part of the essential clinical performance of the device and whether it’s controlled (acceptable) or uncontrolled (unacceptable).

“One method of assessing the acceptability of risk to essential clinical performance is by indicating in a matrix in which combinations of ‘exploitability’ and ‘severity impact to health’ represent risks that are controlled or uncontrolled,” FDA says. “A manufacturer can then conduct assessments of the exploitability and severity impact to health and then use such a matrix to assess the risk to essential clinical performance for the identified cybersecurity vulnerabilities. For risks that remain uncontrolled, additional remediation should be implemented.”

The proposed guidance will be open for public comment for 90 days, after which the FDA will issue final guidance. 

Source: RAPS, Reuters