FDA tackles postmarket medical device cybersecurity

By Kathryn Brown, DePaul University College of Law, WK Legal Scholar

Increasingly, medical devices may be accessed via wireless technologies which transform health care by improving patient mobility, enabling the remote programing of devices, and allowing remote access to and monitoring of patient data. Despite these apparent benefits, medical devices pose serious safety and security risks to patients and health care entities. Like other computer systems, medical devices are vulnerable to security breaches. The FDA stated, “[t]he failure to maintain the cybersecurity of medical devices can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of connected devices or networks to security threats.” This vulnerability has led to many concerns about potential harms that could arise via medical devices. For example, according to ABC News, Thomas Lewis, Partner-in-Charge at LBMC Information Security, stated that “[a] hacker attempting to get patient data could accidentally knock out medical devices connected to the Wi-Fi network, such as an MRI or X-ray machine.” Additionally, as an extreme example of the harm that device hackers could cause, The Washington Post reported that Former Vice-President Dick Cheney chose to disable the wireless function of his heart implant in fear that it could be hacked in an assassination attempt.

In response to growing concerns about the cybersecurity vulnerability of medical devices, the FDA issued a draft guidance entitled “Postmarket Management of Cybersecurity of Medical Devices.” This new draft guidance builds on the FDA’s prior cybersecurity guidance issued in October 2014, which encouraged medical device manufacturers to develop and incorporate cybersecurity controls into medical devices at the premarket design stage. The new draft guidance outlines recommendations to aid medical device manufacturers in monitoring, identifying, and addressing cybersecurity vulnerabilities in devices that have already entered the market. This guidance applies to medical devices that contain software or programmable logic, as well as software that qualifies as a medical device. It does not apply to experimental or investigational medical devices.

Overview of the Draft Guidance

The draft guidance provides overarching recommendations on assessing cybersecurity risk, as well as manufacturers’ remediation and reporting obligations. In order to determine whether their device vulnerability is controlled, the FDA encourages manufacturers to “define and document their process for objectively assessing the cybersecurity risk for their devices.” This process should be tailored to the device as well as the clinical performance and situation. The FDA’s draft guidance indicates that “critical components” of a cybersecurity surveillance program include:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.

The FDA further advises manufacturers to exercise “good cyber hygiene” through routine device maintenance and the timely implementation of a comprehensive risk management program to mitigate cybersecurity risks and vulnerabilities. Manufacturers are reminded that they must report to the FDA any device vulnerability that poses an uncontrolled risk. As an additional security measure, the FDA suggests implementing the 2014 National Institute of Standards and Technology (NIST) Voluntary Framework for Improving Critical Infrastructure Cybersecurity.

Impact of the Draft Guidance

The FDA draft guidance is neither final nor codified; however, attorney Ronald Lee, as well as several of his colleagues, believe that the FDA has “essentially made cybersecurity vulnerability management throughout the lifecycle of medical devices a long-term and likely permanent aspect of regulatory compliance.” The proactive recommendations for device manufacturers demonstrate that medical device cybersecurity is a priority for the FDA. However, medical devices and cybersecurity threats are continually evolving; therefore, postmarket controls will not entirely eliminate these risks. Device manufacturers need to implement comprehensive cybersecurity risk management programs to address any device security vulnerabilities. The FDA accepted comments on the draft guidance until April 21, 2016, and will consider the comments before drafting the final version of the guidance. Whether or not these recommendations are codified, device manufacturers ought to be carefully assessing and evaluating the potential vulnerabilities that may appear throughout a device’s lifecycle, so as to better protect patient safety.

Kathryn Brown is pursuing her law degree from DePaul University College of Law. She completed her undergraduate degree summa cum laude from St. Ambrose University with a Bachelor’s Degree in Political Science and a concentration in International Politics. Kathryn is a Staffer on the DePaul Law Review, Fellow and Vice-Director of Programming for the Jaharis Health Law Institute, and a General Staff Writer for the Institute’s E-Pulse newsletter.