The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to cybersecurity matters related to medical devices. Among other aspects, the guidance addresses the ones related to remediating and reporting cybersecurity vulnerabilities.
Due to its legal nature, the document is not intended to introduce new rules and requirements, but to provide additional clarifications and recommendations to be followed by medical device manufacturers and other parties involved. Moreover, an alternative approach could be applied, provided such an approach complies with the respective regulatory requirements and has been agreed with the authority in advance.
As it was mentioned before, the risk associated with a vulnerability identified should be evaluated depending on its exploitability. In particular, the medical device manufacturer (software developer) shall determine whether the risk is “controlled”, meaning that the residual risk is acceptable, or “uncontrolled”, if otherwise. During such an assessment, the manufacturer shall also consider the controls and additional measures that have been already implemented to mitigate the risk.
Under the general rule, minor software changes intended to improve cybersecurity aspects are not subject to premarket review. It is also stated that the responsibilities of the manufacturer include:
- Developing and implementing a coordinated vulnerability disclosure policy describing the particular approach to be applied when reporting vulnerabilities identified;
- Implement good cyber hygiene practices based on risk assessment, and also take measures to mitigate existing risks, even if they do not exceed acceptable level;
- React on cybersecurity vulnerabilities identified by implementing additional measures;
- Carry out software validation to ensure the measures implemented to mitigate risks would not result in other risks appearing;
- Properly document the methods and controls used in the design, manufacture, packaging, labeling, storage, installation, and servicing of all finished devices as required by 21 CFR part 820;
- In case of new vulnerabilities identified, to implement additional compensating controls to mitigate the new risks before making changes to the design of a medical device;
- Ensure the persons using the device have all necessary information regarding cybersecurity risks associated with the device and the way they could be mitigated;
- Recognize that some changes made to strengthen device security might also significantly affect other device functionality (e.g., use of a different operating system) and assess the scope of change to determine if additional premarket or postmarket regulatory actions are appropriate.
However, the Agency also acknowledges that due to the specific nature of cybersecurity risks, active involvement of all the parties operating with medical devices is necessary to ensure the effectiveness of cybersecurity measures and controls. At the same time, the most important role in ensuring the safety of medical devices in the context of cybersecurity risks should be played by medical device manufacturers. Hence, the document further describes in detail the aspects medical device manufacturers should be responsible for.
Controlled Risk of Patient Harm
The first concept described by the FDA is the concept of a controlled risk, which stands for the situation when there is a sufficiently low (acceptable) residual risk of patient harm due to vulnerability.
As it was mentioned before, medical device manufacturers shall take all the measures necessary to mitigate cybersecurity risks associated with the devices they are responsible for, even if such risks do not exceed the acceptable level. Additionally, the manufacturers should promote good cyber hygiene practices.
In terms of changes and compensating controls, the FDA emphasizes the following:
- As described hereinabove, minor changes to the device (e.g., patches, updates) which are intended to improve cybersecurity, are not subject to reporting or approval;
- The manufacturers may implement additional protective measures and controls even if from the regulatory perspective the residual risk is acceptable and further mitigation is not formally required;
- If a change to the software is being introduced only to mitigate the risks associated with newly identified cybersecurity vulnerability, such a change would be considered as minor update and, consequently, do not require additional approval;
- In case the device is placed on the market under the premarket approval (PMA) framework, the periodic (annual) reports submitted by the manufacturer should also address the aspects related to cybersecurity, including the new vulnerabilities identified and measures that are duly taken to mitigate them.
The guidance also provides several examples of vulnerabilities and describes the approach the manufacturer may apply to mitigate them.
- In case the manufacturer becomes aware of the device infected by malware, first of all, the manufacturer shall evaluate the impact caused by such malware. Should the manufacturer identify that such malware does not result in additional risks requiring specific actions to be taken, the manufacturer should inform the users about the way such malware could be removed, and also develop and implement additional solutions to avoid such situations in the future.
- In case the manufacturer becomes aware of a cybersecurity vulnerability that was publicly disclosed, an assessment should be carried out to identify the risks associated with exploiting such vulnerability. Should it be identified that when exploiting the vulnerability, unauthorized third parties may get access to patients’ data the device stores, but cannot alter such data, the manufacturer shall deem the risk as acceptable, notify the parties involved and implement additional measures to repeal the vulnerability.
- The manufacturer becomes aware of cybersecurity vulnerabilities that could be exploited only when there is physical access to the device. Thus, the risk associated with such vulnerability will be deemed acceptable, so the manufacturer may address the vulnerability by the device of minor update that will not require to be notified to or approved by the regulating authority, as long as such update will be intended solely to address the cybersecurity vulnerability identified.
- The manufacturer becomes aware that the general computing equipment used with the medical device is infected by malware. Should it be identified that such malware does not impact the operations of the medical device connected to such computing equipment, the risk would be deemed acceptable and could be mitigated by the virtue of minor updates.
Uncontrolled Risk to Safety and Essential Performance
Apart from controlled risk, the guidance addresses the aspects related to uncontrolled risks associated with cybersecurity vulnerabilities. According to the document, uncontrolled risk stands for a situation when there is an unacceptable residual risk of patient harm due to insufficient risk mitigations and compensating controls. As described by the FDA, the scope of assessment to be carried out by the manufacturer shall cover the exploitability of such vulnerability, as well as the severity of harm that could be potentially caused to the patient. Should the risk be considered uncontrolled, additional measures should be duly developed and implemented by the manufacturer to mitigate such risk.
In summary, the present FDA guidance describes in detail the approach to be applied by medical device manufacturers when determining whether the risk associated with cybersecurity vulnerability is controlled or uncontrolled. The document also provides additional clarifications regarding the responsibilities of medical device manufacturers in terms of cybersecurity-related matters.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.
Want to know more about our solutions? Speak to a RegDesk Expert today!