The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to postmarket management of cybersecurity in medical devices. The document is intended to provide additional clarifications on various matters related to cybersecurity, as well as recommendations to be considered by medical device manufacturers and other parties involved to ensure compliance with the applicable regulatory requirements. It is important to mention that FDA guidance documents are non-binding, nor introduce new rules or obligations. Moreover, as it is stated by the FDA, an alternative approach could be applied, provided such an approach complies with the respective legislation and has been agreed with the authority in advance. 

The present article addresses specific matters covered by the guidance, including the recommendations regarding the content of periodic reports and ISAO active participation criteria.


Recommended Content to Include in PMA Periodic Reports

As explained by the FDA, the periodic reports to be submitted to the Agency about medical devices placed on the market under the PMA framework should also cover the aspects related to cybersecurity. In particular, the report should provide additional details regarding cybersecurity vulnerabilities identified, compensating controls introduced to mitigate the new risks, as well as on changes medical devices were subject to during the reporting period.

According to the guidance, the regulating authority encourages medical device manufacturers to provide the following information:

  • Details on vulnerabilities identified, including the way the responsible entity became aware of them;

  • Results of a risk assessment undertaken by the responsible entity to determine whether the risk of patient harm was controlled or uncontrolled;

  • Details regarding the changes to a medical device in question, as well as the appropriate comparison to the product already approved for marketing and use in the US;

  • Justification of changes (details on the reasons behind);

  • Information about similar products that were subject to changes to address similar cybersecurity issues;

  • Details about the particular incidents creating grounds for changes (including the references to Medical Device Reports);

  • Unique Device Identification (UDI);

  • A link to an ICS-CERT advisory or other government or ISAO alert;

  • Details about any notifications communicated to customers about medical devices already placed on the market;

  • Details of the ISAO the cybersecurity-related issue has been reported to;

  • Reference to other relevant submissions (PMA Supplement, 30-Day Notice, 806 reports, etc.), if any, or other scientific and/or regulatory basis for concluding that the change did not require a submission/report.

Criteria for Defining Active Participation by a Manufacturer in an ISAO

The FDA additionally emphasizes that active participation by a manufacturer in an ISAO can assist the company, the medical device community, and the HPH Sector by proactively addressing cybersecurity vulnerabilities and minimizing exploits through the timely deployment of risk control measures including communication and coordination with patients and users. 

When determining whether the particular medical device manufacturer participates actively in an ISAO, the regulating authority will take into consideration the following criteria:

  1. Active membership in an ISAO dealing with matters related to cybersecurity;
  2. The availability of respective internal policies describing the operations of an ISAO the manufacturer participates in;
  3. Actual sharing of information related to vulnerabilities identified with the ISAO;
  4. The availability of internal policies and procedures developed and implemented by the medical device manufacturer to ensure the information on cybersecurity-related issues and vulnerabilities will be duly shared with the ISAO. According to the guidance, the scope of information to be shared shall cover medical device risk assessments, countermeasure solutions, and mitigations. 

The authority further states that to be considered as an active participant of an ISAO, the medical device manufacturer shall duly document all the processes associated with the membership and information exchange, and the appropriate evidence should be in place. The manufacturer should have evidence demonstrating that all the criteria listed hereinabove are met. 


Elements of an Effective Postmarket Cybersecurity Program 

Apart from the aspects highlighted herein, the guidance also provides additional recommendations on the postmarket cybersecurity program and the components it should contain. According to the guidance, the general approach should be based on the following core elements: Identity, Protect, Detect, Respond, and Recover. The document further describes each of them in detail. 

  1. Identify 
    1. Maintaining Safety and Essential Performance. As explained by the FDA, medical device manufacturers should assess to identify the cybersecurity risks associated with the vulnerability in question, and also evaluate the potential harm that could be caused if the vulnerability would be exploited. In this regard, the manufacturer should determine and use the appropriate acceptance criteria. 
    2. Identification of Cybersecurity Signals. According to the document, claims and complaints constitute important sources of information regarding the device, as well as safety- and performance-related matters associated thereto. Hence, medical device manufacturers should duly collect and analyze information deriving from various sources. 
  2. Protect/Detect
    1. Vulnerability Characterization and Assessment. The authority encourages medical device manufacturers to characterize the vulnerabilities identified. For this purpose, the appropriate scoring system could be used. The factors to be considered in this regard include, inter alia, remote exploitability, attack complexity, threat privileges, actions required by the user, exploit code maturity, and report confidence. 
    2. Risk Analysis and Threat Modeling. According to the guidance, risk analysis to be carried out by a medical device manufacturer should also include threat modeling which stands for a procedure for optimizing Network/Application/Internet Security by identifying objectives and vulnerabilities and then defining countermeasures to prevent or mitigate the effects of threats to the system. 
    3. Analysis of Threat Sources. Apart from characterizing vulnerabilities identified, medical device manufacturers are also encouraged to characterize threat sources, as it provides important information to be considered.
    4. Incorporation of Threat Detection Capabilities.
    5. Impact Assessment on All Devices.
  3. Protect/Respond/Recover
    1. Compensating Controls Assessment (Detect/Respond)
  4. Risk Mitigation of Safety and Essential Performance. Once all information regarding the newly identified vulnerability is in place and has been duly analyzed, the manufacturer shall determine whether the risks associated thereto could be mitigated by the device of existing controls and whether the residual risk is acceptable. The benefit/risk evaluation should be also carried out at this stage. In most cases, recalls are not needed, as most of the vulnerabilities could be addressed by patches and updates. 

In summary, the present FDA guidance highlights the most important aspects associated with the cybersecurity issues in the context of postmarket activities to be undertaken by medical device manufacturers. The scope of the document covers the responsibilities of manufacturers, as well as the key points to be considered by the regulating authority. 


How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.