The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of medical devices, has published a guidance document dedicated to postmarket management of cybersecurity in medical devices. The final version of the document was issued in December 2016.

Due to its legal nature, the FDA guidance provides additional recommendations and clarifications on the matter but does not introduce any rules or requirements to be followed by the parties involved. Moreover, an alternative approach could be applied, provided such an approach complies with the applicable regulatory requirements and has been approved by the authority in advance.

Regulatory Background 

The present FDA guidance is intended to provide additional recommendations on how postmarket cybersecurity vulnerabilities should be managed with regard to medical devices that have already been placed on the market. However, medical device manufacturers shall take all measures necessary to address cybersecurity risks at all stages of the product’s lifecycle, starting from the initial design and development of a medical device. 

The authority states that the number of medical devices requiring connection to local and/or global networks is increasing nowadays. Hence, such devices are vulnerable to cybersecurity threats, which could result in additional risks for patients, including the disclosure of sensitive medical information or even harm caused to the patient’s health. Thus, in order to ensure the safety and effectiveness of a medical device, it is vitally important to sustain a sufficient level of protection within the whole period the device is in use. The authority additionally emphasizes the importance of proactively addressing the risks related to potential cases of exploiting cybersecurity vulnerabilities. 

According to the present guidance, the manufacturers shall monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices. The document further describes the applicable regulatory framework based on associated risks. In particular, the FDA provides additional clarifications regarding the change control requirements and situations when they could be waived. 

Under the general rule, medical device manufacturers are obliged to duly notify the regulating authority about any actions taken to mitigate the newly identified risks associated with medical devices, such as corrections and removals. At the same time, in the case of software products, the way such actions would be performed will be different due to the intangible nature of software products. In particular, the medical device manufacturers will introduce the changes necessary to address newly identified cybersecurity risks by virtue of patches and updates. Consequently, such actions will not trigger reporting requirements in terms of corrective actions. However, it is stated that if such actions have been taken to mitigate the risks associated with cybersecurity vulnerabilities that could create additional risks for patients’ health, the manufacturer shall duly notify the authority about the actions taken. 

The document also describes the recommended approach for assessing risks to patients’ health in order to identify whether they are sufficiently controlled or not. Such an assessment should be based on the following factors:

  • The likelihood of exploit,
  • The impact of exploitation on the device’s safety and essential performance, and 
  • The severity of patient harm if exploited. 

The guidance also contains references to the FDA-recognized voluntary consensus standards[1] medical device manufacturers can use in order to demonstrate compliance with the applicable regulatory requirements. 

General Approach to Cybersecurity 

The FDA explicitly states that ensuring the proper mitigation of cybersecurity risks should be a shared responsibility of all parties involved in operations with medical devices. It is stated that efficient cooperation among them is necessary to ensure the continuous safety of medical devices in the context of cybersecurity threats and vulnerabilities within the whole period they are being used. 

According to the document, the broad definition of stakeholders in terms of cybersecurity includes such parties as:

  • The medical device manufacturer,
  • The user, 
  • The Information Technology (IT) system integrator, 
  • Health IT developers, and
  • IT vendors that provide products that are not regulated by the FDA. 

Hence, the Agency encourages all the parties listed above to establish an efficient system of collaboration, including but not limited to information exchange regarding the cybersecurity vulnerabilities identified. 

The proactive approach mostly applies at the premarket stage in the course of the design and development of a medical device. At the same time, the same approach could also be applied at the postmarket stage by virtue of establishing an efficient information exchange and monitoring, as well as promoting “good cyber hygiene” and applying the risk-based approach to all newly identified vulnerabilities. As a part of this process, it is also vitally important to ensure all actions necessary to mitigate the risks are sufficient and are taken in a timely way. 

The document also refers to the voluntary “Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institute of Standards and Technology as a basis for the approach to cybersecurity to be employed by the parties involved. 

According to the guidance, the efficient exchange of information related to cybersecurity vulnerabilities and exploits could be useful in the context of addressing newly identified issues. 

Information Sharing Analysis Organisations 

Another important aspect highlighted in the present guidance document relates to the Information Sharing Analysis Organizations (ISAOs) intended to serve as focal points for cybersecurity information sharing and collaboration within the private sector as well as between the private sector and government. It is stated that ISAOs should collect and analyze information regarding critical infrastructure in order to facilitate the prevention, detection, mitigation, or recovery from the effects of cyber threats. According to the applicable provisions, the ISAOs are intended to be:

  • Inclusive (group from any and all sectors, both non-profit and for-profit, expert or movie, should be able to participate in an ISAO);
  • Actionable (groups will receive useful and practical cybersecurity risk, threat indicator, and incident information via automated, real-time mechanisms if they choose to participate in an ISAO);
  • Transparent (groups interested in an ISAO model will have adequate understanding of how that model operate and if it meets their needs); and
  • Trusted (participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information). 

In summary, the present FDA guidance highlights the most important aspects related to the management of cybersecurity for medical devices already placed on the market. The document provides an overview of the applicable framework in terms of recommendations and guidelines to be considered by the parties involved in order to ensure a sufficient level of protection against vulnerabilities and exploits. 

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple. ​