On Thursday, June 13, 2013, the U.S. Food and Drug Administration (“FDA”) released a draft guidance on measures to help ensure the cybersecurity of medical devices. The draft guidance, titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” proposes cybersecurity features that should be incorporated into wireless, Internet- and network-connected medical devices (“cybersecurity-vulnerable devices”), as well as information that will be requested in premarket submissions for cybersecurity-vulnerable devices. In addition to the draft guidance, FDA also issued an FDA Safety Communication to medical device manufacturers, hospitals, medical device user facilities, health care IT and procurements staff, and biomedical engineers on cybersecurity for medical devices and hospital networks.
Cybersecurity vulnerability has been an increasing concern for medical devices. A Department of Homeland Security (“DHS”) intelligence bulletin issued in May 2012 noted that “[t]hese vulnerabilities may result in possible risks to patient safety and theft or loss of medical information.” One of the issues noted by the DHS is that “system owners may be reluctant to allow manufacturers access for upgrades or updates.” This reluctance arises out of concerns about access to “sensitive or privacy information,” where the “[f]ailure to install updates lays a foundation for increasingly ineffective threat mitigation as time passes.”
The draft guidance notes that manufacturers of cybersecurity-vulnerable devices should ensure confidentiality, integrity, and availability of data. Although FDA’s draft guidance and safety communication make no mention of either the Health Insurance Portability and Accountability Act (HIPAA), or the Health Information Technology for Economic and Clinical Health Act (HITECH), compliance with HIPAA and HITECH may be one of the standards by which FDA evaluates device cybersecurity. While device manufacturers are generally not subject to HIPAA and HITECH, they have become increasingly sensitive to the needs of customers that must themselves be compliant with these laws.
The draft guidance identifies a number of features that cybersecurity-vulnerable devices are recommended to incorporate. These features fall within three general categories addressing limiting access to trusted users, ensuring trusted content, and incorporating fail safe and recovery features. Some of the features include requiring authentication of users through a user ID and password, smartcard, or biometric, and using data encryption.
Along with the recommended features, the draft guidance also identifies information that should be included in a device premarket submission. This draws upon the extensive information that is already provided in submissions for medical devices that contain software. In particular, the draft guidance recommends that the hazard analysis provided in the submission include the identified cybersecurity risks and the controls put in place to mitigate those risks. The product life-cycle plan should include a discussion on how validated updates and patches to operating systems or medical device software will be provided. The instructions for use are also recommended to include information on appropriate anti-virus software and firewall settings.
One concern raised by the draft guidance and the safety communication is how to handle reporting of cybersecurity modifications to medical device software. Whenever medical device software is updated, manufacturers must address whether the update is reportable as a correction or removal under 21 C.F.R. part 806, and whether the update requires the filing of a new premarket submission with FDA. In FDA’s previous guidance on cybersecurity, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software,” issued on January 14, 2005, FDA noted that manufacturers would generally not report a cybersecurity patch as a correction or removal, “because most software patches are installed to reduce the risk of developing a problem associated with a cybersecurity vulnerability and not to address a risk to health posed by the device.” Similarly, in addressing whether premarket review would be required prior to implementation of a software patch to address a cybersecurity vulnerability, FDA’s previous guidance noted that manufacturers would “[u]sually not” be required to provide a submission for review given that “review is [generally] necessary when a change or modification could significantly affect the safety or effectiveness of the medical device.”
FDA’s safety communication suggests that FDA may be in the process of reconsidering the impact that cybersecurity vulnerabilities have on device safety and effectiveness. The safety communication notes that “[c]ybersecurity incidents are increasingly likely,” and that FDA believes such “cybersecurity vulnerabilities and incidents . . . could directly impact medical devices or hospital network operations.” Despite this increased focus, FDA has not rescinded its prior guidance “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software,” and noted in the recent safety communication that “FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.”
Manufacturers currently marketing cybersecurity-vulnerable devices should conduct a comprehensive review of their marketed devices for any potential cybersecurity threats. It is likely that the issue of cybersecurity will be a part of FDA medical device establishment inspections. Further, FDA’s recent safety communication suggests that “manufacturers should consider [developing] incident response plans that address the possibility of degraded operation and efficient restoration and recovery” caused by cybersecurity vulnerabilities.
Manufacturers currently developing cybersecurity-vulnerable devices should cover cybersecurity risks during the design control process required under 21 C.F.R. 820.30. It is possible that FDA’s draft guidance may be finalized this year. Even if the guidance remains in draft form, the recommendations may potentially be incorporated into FDA’s premarket review.
Health care facilities are recommended to take steps to evaluate network security and protect hospital networks from cybersecurity risks. This includes monitoring network activity for unauthorized use, and updating security patches and disabling all unnecessary ports and services for each individual network component.
 Device manufacturers may offer a service to a customer covered by HIPAA and HITECH (called “covered entities” in HIPAA), that creates a “Business Associate” relationship with the covered entity. In that situation, the device manufacturer would be subject to HIPAA and HITECH. An example of such a service may be the remote storage of protected health information collected by a medical device.