FDA Publishes Guidance On Cybersecurity Risk Management For Medical Devices


The FDA has published new draft guidance on managing cybersecurity threats that could compromise networked medical devices. Though no direct harm has been known to have occurred from cybersecurity attacks on medical devices, vulnerabilities in networked medical devices  have been known for years and widely reported on. White-coat hackers have published detailed vulnerability reports demonstrating how pacemakers, insulin pumps, and surgical robots could all be remotely controlled, producing potentially deadly results. In August 2015, the FDA issued its first ever safety alert over a cybersecurity vulnerability in a widely used medical device. The safety alert notified health systems that Hospira’s Symbiq Infusion System contained software vulnerabilities that “could allow an attacker to remotely control the operation of the device, potentially impacting the prescribed therapy and patient safety.” In February 2013, the President issued a series of executive orders tasking government agencies with strengthening the nation’s infrastructure against cybersecurity threats. A second executive order issued in February 2015 expands upon that directive by encouraging the creation of a cybersecurity information sharing network where government agencies and private business could collaborate on potential threats.

In response to the increased threat to equipment deemed critical to public health and the national infrastructure, the FDA has issued its new draft guidance to provide medical device manufacturers additional information on how to manage and mitigate post-market cybersecurity risks. For pre-market risk mitigation, the FDA references a 2014 document outlining appropriate design, test, and validation steps that should be taken by medical device manufacturers prior to submitting devices for approval.

In its new guidance, the FDA calls on medical device manufacturers to establish formal procedures to address software validation and risk analysis, corrective and preventative action, quality auditing, servicing, and complaint handling, noting that manufacturers are required to respond in “a timely fashion” to address newly discovered vulnerabilities. Manufacturers are also being called on to establish post-market cybersecurity risk teams responsible for identifying, assessing, and responding to cybersecurity vulnerabilities. Formal nomenclature and risk assessment strategies are provided to help manufacturers effectively assess the severity of any newly discovered vulnerabilities, with a focus on accurately assessing the potential risk to a device’s clinical performance.

Based on this vulnerability assessment, manufacturers will either deem the risk “controlled” or “uncontrolled,” which in turn triggers the appropriate risk remediation process. Controlled-risk vulnerabilities are defined as ones where there is “sufficiently low (acceptable) residual risk that the device’s essential clinical performance could be compromised by the vulnerability,” while unacceptable risks are those where clinical performance could be threatened. The FDA has clarified that in order to support timely cybersecurity software updates and patches for medical devices, it will not conduct premarket reviews to clear or approve the software changes. Manufacturers are required to report uncontrolled risks to the agency unless there are no known serious adverse events associated with the risk, the manufacturer is part of a cybersecurity information sharing network, and most importantly that “Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level.”

Enjoy HIStalk Connect? Sign up for update alerts, or follow us at @HIStalkConnect.

↑ Back to top

Founding Sponsors

Platinum Sponsors