The FDA is pressing forward with efforts to combat cybersecurity threats, with the agency releasing draft guidance providing recommendations for monitoring, identifying and addressing vulnerabilities in medical devices once they have entered the market.
In draft guidance issued Jan. 15, the FDA says manufacturers should implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities.
In the majority of cases, manufacturers conducting routine updates or patches currently are not required to give the agency advance notification, additional premarket review or reporting. But the FDA would require devicemakers to notify the agency for a small subset of vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death.
The FDA does not intend to enforce urgent reporting of the vulnerability to the agency as long as there are no serious adverse events or deaths, the manufacturer notifies users and implements changes to reduce the risk within 30 days, and the manufacturer is a participating member of an information-sharing analysis organization, the draft guidance says.
ISAOs are collaborative groups in which public- and private-sector members can share cybersecurity information.
The draft guidance on postmarket devices follows final guidance issued in October 2014 that contains recommendations for incorporating premarket management of cybersecurity during the design stage of device development. The agency held a workshop with stakeholders Jan. 20 and 21 to discuss the draft guidance and the complex challenges in ensuring device cybersecurity.
The agency is encouraging collaboration. Stephen Ostroff, the FDA’s acting commissioner, stressed the need to ensure that medical device systems are protected from intrusions and exploitations, as the devices become increasingly sophisticated, more interconnected and more interoperable.
“We know, for instance, that the risk that the entire healthcare network could be compromised has grown exponentially over time. We also know that it takes work, and it is hard to build cybersecurity into medical devices and systems that are not self-contained at the time that they are actually developed,” he said. “As hard as that is, it is probably even harder to maintain cybersecurity after the devices are on the market, because we know that the risks and vulnerabilities and capabilities only increase over time,” he said during the workshop.
Beau Woods, a core contributor to a grassroots initiative called I Am the Cavalry, explained there are many pathways to fix a cybersecurity problem, including maintaining a device, eliminating the device from a network, or turning it on only when needed. Ultimately, the solution requires collaboration from the community.
“It is a shared responsibility among everybody in the chain of care delivered. As long as you keep that in mind, I think the option to eliminate risk or remediate risk is down to a controllable level, and the possibility is much greater to succeed,” he said.