FDAnews
www.fdanews.com/articles/14136-tga-releases-draft-guidance-on-device-cybersecurity

TGA Releases Draft Guidance on Device Cybersecurity

January 18, 2019

Australia’s Therapeutic Goods Administration issued draft guidance for devicemakers on cybersecurity risks.

Effective cybersecurity requires steps by manufacturers, sponsors, clinicians and patients, the agency said. If the cybersecurity risk is not minimized throughout the life of the device, it can lead to a breach in the confidentiality, integrity and availability of medical device data, or malicious unauthorized access to the medical device and the network, TGA said.

The TGA pointed to the U.S. National Institute of Standards and Technology’s cybersecurity framework as a model for addressing cybersecurity risks. Along each stage of the device lifecycle, devicemakers need to ensure compliance with essential principles, including risk management for cybersecurity.

The guidance recommends the following considerations for developing a risk management plan:

  • Devices and associated networks can never be completely cyber secure, and device users themselves represent a potential threat;
  • The evolving device cyber threat landscape requires constant monitoring and appropriate corrective and preventive action;
  • Potential harm to patients from adverse events include physical harm and other consequences for patients could include psychological harm, breaches of privacy and financial consequences; and
  • Clinical use of the device is often much longer than the expected lifespan of the technology, which means less frequent security patches over time as it becomes officially unsupported.

During the design and development stage, manufacturers should address cybersecurity risks, including general considerations such as standards and supply chain assessment. They should address technical considerations such as cybersecurity performance testing, modular design architecture, operating platform security, emerging software and trusted access and content provision.

One risk consideration the guidance highlights is the severity of patient harm if a vulnerability is exploited. It suggests using ISO 14971:2007 to determine the risk to patients. The guidance also lists the following standard that could help manufacturers meet regulatory requirements for cybersecurity:

  • ISO 13485 - Quality management systems;
  • IEC/EN 62304 - Software lifecycle requirements;
  • IEC 60601-1 - Safety and essential performance of medical electrical equipment;
  • UL 2900-1 - Cybersecurity for networks and connectable products;
  • UL 2900-2-1 - Requirements for network connectable components;
  • IEC 80001 - Application of risk management for IT networks incorporating medical devices;
  • AAMU/UL 2800 - Safety and security requirements of interoperable medical systems;
  • ISO 15408 - Evaluation criteria for IT security;
  • IEC 82304 - Health software general requirements for product safety; and
  • ISO/IEC 30111 - Resolve potential vulnerability information in a product.

The TGA pointed to the U.S. National Institute of Standards and Technology as a good framework to address cybersecurity risks throughout a product’s lifecycle.

The agency is accepting comments until Feb. 14. Read the draft guidance here: www.fdanews.com/01-18-19-cybersecurity.pdf.

Special Risk Consideration: Cybersecurity

The FDA applies ISO 14971 risk management principles to its oversight of medical device cybersecurity, defined as the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed or transferred from a medical device to an external recipient. “Harm,” according to ISO 14971, means physical injury or damage to the health of people, damage to property or damage to the environment, and “risk” is defined as the combination of the probability of occurrence of harm and the severity of that harm.

This is a bit different from most risk management, which addresses harm to a patient or to a healthcare professional using a device. In its 2005 guidance on pre-market software devices — entitled Content of Pre-market Submissions for Software Contained in Medical Devices — the FDA clearly defines level of concern in terms of injury to a patient or user.

In the case of cybersecurity, however, the FDA and other regulators extend concern beyond the individuals to property and the environment. While physical injury or damage to the health of people remains a top concern for medical device cybersecurity risk management, cybersecurity breaches in general are more likely to involve damage to property.

A particular concern for devicemakers is unauthorized use of information that involves intellectual property. For patients and healthcare providers, unauthorized access to patient health data, which certain medical device software generates and/or stores, is also a major concern. Property damage is in scope for ISO 14971, so the FDA has adopted that standard’s approach for its oversight of device software cybersecurity.

The framework for medical device cybersecurity mirrors that for other risk assessment and mitigation. The FDA also plans to implement an existing National Institutes of Standards and Technology (NIST) cybersecurity framework. Under this framework, which echoes existing pre- and postmarket risk management principles for medical devices, companies must identify cybersecurity risks, take steps to protect their devices from those risks, establish methods for detecting breaches, discover those breaches and respond effectively to them.

Excerpted from the FDAnews management report: Device Software Development — A Guide to Risk Management Requirements.