The FDA recently issued a Safety Communication on cybersecurity and medical devices and draft guidance recommending that manufacturers specifically address cybersecurity in premarket submissions for medical devices. The FDA has not addressed cybersecurity with regard to medical devices since the issuance of the last cybersecurity-related guidance document in 2005. Are medical device hackers on the rise? What do you need to know?
The Safety Communication recommended “medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.” In that Communication, the FDA outlined incidents of cybersecurity vulnerabilities potentially affecting medical devices and hospital networks, such as malware on various devices used to access patient data and distribution of passwords for privileged device access, which could result in unauthorized access and, therefore, patient illness, injury or death. The FDA noted, however, that it is not aware of any patient injuries or deaths associated with these incidents.
The FDA provided its current thinking on how to address cybersecurity pertaining to medical devices in a draft guidance released in June 2013 titled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” “Cybersecurity,” as used in the draft guidance, means “the process of preventing unauthorized modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.” The draft guidance applies to the following premarket submissions for medical devices that contain software: Premarket Notification (510(k)) including Traditional, Special and Abbreviated 510(k) submissions; de novo petitions; Premarket Approval Applications (PMA); Product Development Protocols (PDP); and Humanitarian Device Exemption (HDE) submissions. The FDA notes that manufacturers may also utilize the draft guidance for Investigational Device Exemption submissions and devices exempt from premarket review.
The draft guidance recommends that medical device manufacturers develop measures to maintain “confidentiality” (only authorized users access data, information, or systems at authorized times and in authorized ways), “integrity” (data and information are accurate and only modified by authorized users), and “availability” (timely and reliable) with regard to cybersecurity as part of the design phase of a medical device.
The draft guidance extends the scope of design validation, 21 C.F.R. 820.30(g), suggesting that manufacturers provide the following cybersecurity information in the premarket submission:
hazard analysis and mitigation design options for intentional and unintentional cyberattacks;
a matrix that traces cybersecurity controls to risks;
a plan to provide updates and patches to address contemporaneous cyberattacks;
documentation ensuring that the device is free of malware at the time of purchase/use; and
instructions for anti-virus protection.
The level of cybersecurity control will depend on the type and capability of the device. The FDA recommends that the manufacturer justify the cybersecurity controls in the premarket submission.
The Safety Communication reminds medical device manufacturers, user facilities, and importers of their various reporting obligations such as reporting adverse events, death, serious injury, and malfunctions in accordance with the Medical Device Reporting (MDR) regulations. The Safety Communication also includes FDA’s request that manufacturers voluntarily report cybersecurity incidents through FDA’s Safety Information and Adverse Event Reporting program, MedWatch.