The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to postmarket management of cybersecurity in medical devices. The document provides additional clarifications on the applicable regulatory framework, as well as recommendations to be considered by medical device manufacturers (software developers) and other parties involved. The Agency also mentions that the approach described in the guidance is non-binding, and an alternative approach could be applied, provided such an approach complies with the applicable regulatory requirements and has been agreed with the authority in advance.
According to the applicable legislation, a manufacturer should establish, document, and maintain through the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks, and monitoring the effectiveness of the controls. This process should include risk analysis, risk evaluation, risk control, and incorporation of production and post-production information. The authority further explains that medical device manufacturers are obliged to develop and implement an efficient process of risk evaluation. Once an issue has been identified, it will be necessary to determine whether the risk associated thereto is acceptable or unacceptable. The Agency mentions that the present guidance is not exhaustive due to a wide range of cybersecurity-related issues that could arise. Neither does it cover all situations when the risk is controlled or uncontrolled. Hence, to ensure the safety and effectiveness of medical devices, the authority encourages medical device manufacturers to implement an approach based on the devices they are responsible for and their specific features.
As it is further described by the FDA, the approach to be applied when assessing the risk of patient harm should be based on the following factors:
- The exploitability of the cybersecurity vulnerability, and
- The severity of patient harm if the vulnerability were to be exploited.
In the course of the risk analysis, the manufacturer should also take into consideration additional measures implemented to mitigate the risk.
Assessing Exploitability of the Cybersecurity Vulnerability
First, the FDA describes in detail the approach to be applied when assessing the exploitability of a cybersecurity vulnerability. The authority acknowledges the difficulties one may face when conducting such an assessment. According to the guidance, if the data related to the probability of the occurrence of harm is not currently available to the manufacturer, the latter should make its decisions based on the worst-case scenario. Alternatively, due to the specific nature of software-related issues, the probability of their occurrence could be considered as 1. The authority also encourages medical device manufacturers to apply the appropriate scoring systems when making decisions on the actions to be taken to address them. In particular, the Agency suggests using the “Common Vulnerability Scoring System” Version 3.0. The factors to be assessed when applying the system include the following ones:
- Attack Vector (physical, local, adjacent, network);
- Attach Complexity (high, low);
- Privileges Required (none, low, high);
- User Interaction (none, required);
- Scope (changed, unchanged);
- Confidentiality Impact (high, low, none);
- Integrity Impact (none, low, high);
- Availability Impact (high, low, none);
- Exploit Code Maturity (high, functional, proof-of-concept, unproven);
- Remediation Level (unavailable, work-around, temporary fix, official fix, not defined);
- Report Confidence (confirmed, reasonable, unknown, not defined).
The authority additionally emphasizes the importance of weighting the particular aspects as it impacts the total score.
Apart from the one described hereinabove, the Agency also refers to several other systems and standards to be considered by medical device manufacturers when deciding on the approach to be applied when assessing the exploitability of cybersecurity risks.
Assessing Severity of Patient Harm
Another important aspect the FDA pays attention to is related to assessing the severity of patient harm that could be potentially caused. In particular, the document describes the approach prescribed by the standard ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices. Under this approach, a harm that could be potentially caused to a patient as a result of exploiting the vulnerability could be divided into five categories depending on its severity.
Evaluation of Risk of Patient Harm
As mentioned before, a key purpose of conducting the cyber-vulnerability risk assessment is to evaluate whether the risk of patient harm is controlled (acceptable) or uncontrolled (unacceptable). For this purpose, the authority suggests using a special matrix providing the possibility to analyze potential combinations of the two main criteria: “exploitability” and “severity of patient harm”. As described in the document, this should be a third step to be taken by the manufacturer, after assessing the exploitability and severity of patient harm.
Should the manufacturer identify that some of the risks associated with cybersecurity matters remain uncontrolled, it will be necessary to implement additional measures.
To assist medical device manufacturers in applying the approach described herein, the document also provides an example matrix. The authority mentions that in some cases it becomes quite difficult to decide. At the same time, the Agency encourages the manufacturers to make binary determinations stating that the particular vulnerability is controlled or uncontrolled. Such a determination should be made on a case-by-case basis depending on the specific aspects of the medical device in question. If necessary, the manufacturer should duly implement additional measures to ensure the risk that remains (“residual risk”) does not exceed an acceptable level.
The example matrix provided by the FDA: A matrix similar to the one provided here could be used for evaluating the risk of patient harm. In particular, it provides a visual representation of the relationship between exploitability and severity of patient harm. Such an approach should be applied by a medical device manufacturer when determining whether the particular cybersecurity-related risk associated with a medical device is controlled or uncontrolled.
In summary, the present FDA guidance describes the approach to be employed by medical device manufacturers in the context of analyzing the risks associated with cybersecurity vulnerabilities. The authority provides recommendations to be considered when assessing the exploitability of a vulnerability identified, the severity of harm that could be potentially caused to a patient and also evaluating the risk.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.