The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of medical devices and other healthcare products, has published a discussion paper dedicated to strengthening cybersecurity practices associated with servicing medical devices.

The present document is intended solely for the purpose of initiating a public discussion on the matter and should not be construed as guidance. Neither does it represent the current position of the regulating authority. Rather, it highlights the most important aspects related to the matter and encourages the parties involved to provide feedback and suggestions.

Regulatory Background 

The Agency announced earlier that it sets further improvement of cybersecurity practices related to medical devices as one of its primary goals. In particular, the FDA’s Report on Device Servicing was published by the authority earlier in May 2018. According to the document, “service” stands for repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the original equipment manufacturer (OEM) and to meet its original intended use. At the same time, the concept of “servicing” does not cover any actions resulting in significant changes to the safety and effectiveness of a medical device or its intended use. 

Cybersecurity-related matters are vitally important for medical devices intended to be connected to local or global networks. As stated in the discussion paper, the term “cybersecurity” should be understood as the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient. The Agency has already developed and published several guidance documents dedicated to cybersecurity issues related to medical devices. In those guidance documents, the FDA describes the concept of a “total product lifecycle (TPLC)” approach under which responsible parties should pay attention to cybersecurity matters on all the steps of a medical device’s lifecycle, starting from the initial design and development and including post-market activities. It is also important to mention that responsibilities in the sphere of cybersecurity should be shared among all the parties involved in operations with medical devices. However, the key role should be played by medical device manufacturers responsible for implementing the measures necessary to mitigate existing cybersecurity risks and dealing with vulnerabilities. In this regard, medical device manufacturers should duly implement efficient cybersecurity controls. 

Ineffectiveness of cybersecurity measures taken could potentially lead to loss of personal data, which is quite sensitive, malfunctions of a medical device, and also spreading the threat to other medical devices. Thus, cybersecurity issues could result in harm caused to the patients’ health due to the impact they can cause on the safety and performance of a medical device. 

The authority acknowledges that there is no way to eliminate any and all cybersecurity vulnerabilities related to medical devices. However, medical device manufacturers are responsible for implementing an approach that would facilitate the identification of cybersecurity vulnerabilities and mitigate consequences associated thereto. The parties involved in operations with medical devices, other than manufacturers, should also contribute to the process by assisting in identifying new threats and performing maintenance of medical devices, ensuring that all identified risks related to cybersecurity are duly mitigated. It is stated that the medical device manufacturer should consider the option of non-OEM servicing and implement measures necessary to ensure that such servicing would be performed without compromising cybersecurity. 

The scope of the present discussion paper covers cases when medical devices are subject to non-OEM servicing and cybersecurity aspects associated thereto. According to the document, its scope covers software enabled medical devices (including firmware) or programmable logic, software that is a medical device, and devices that are considered part of an interoperable system. 

Cybersecurity Challenges and Opportunities for Medical Device Servicing 

The regulating authority emphasizes the importance of ensuring that the proper cybersecurity practices are applied when servicing medical devices subject to cybersecurity risks. In this context, the role of non-OEM servicing entities lies in identifying new threats and vulnerabilities and implementing all corrections and updates necessary to ensure the continuous safety and effectiveness of medical devices. It is also important to establish a proper balance between ensuring the safety of a medical device while avoiding an unneeded burden for medical devices manufacturers and other parties involved. 

The document further outlines several challenges and opportunities the authority found the most important in the context of cybersecurity aspects of servicing for medical devices. 

1. Privileged access. One of the most important concepts to be applied in order to improve cybersecurity is “privileged access” as a function that limits access to the tight scope of authorized users. In order to allow non-OEM servicing entities to conduct all necessary operations, the medical device manufacturer shall consider the option of proving privileged access to such entities. There is no general approach to be applied in all situations, so the particular solutions should be developed on a case-by-case basis, provided that the main safety principles are met and unauthorized third parties cannot access critical functions of the device. 

2. Identification of cybersecurity vulnerabilities and incidents. The FDA states that identifying new cybersecurity issues and taking actions necessary to mitigate risks and consequences associated thereto is vitally important not only for healthcare institutions using medical devices but to the industry in general. In this regard, an important role could be played by non-OEM servicing entities as, in certain cases, they become aware of newly identified vulnerabilities and threats even earlier than the original medical device manufacturer. Hence, it becomes vitally important to develop and implement efficient information exchange mechanisms, ensuring that all significant information related to cybersecurity issues would be communicated to the parties involved in a timely manner. 

3. Prevention and mitigation of cybersecurity vulnerabilities. In most cases, once a cybersecurity vulnerability has been identified, the manufacturer takes necessary measures to address it by introducing a new software update. In this regard, non-OEM servicing entities should ensure they have access to and are using the latest updates released by the medical device manufacturer. 

4. Product life cycle challenges and opportunities. Another important aspect addressed in the present discussion paper relates to legacy medical devices. The authority states that in some cases the manufacturer can no longer support a medical device placed on the market and informs the customers accordingly. In such a case, it becomes especially important to understand the risks associated with the use of such a device, even if it meets general safety and performance requirements since the lack of regular software updates makes it vulnerable to cybersecurity threats. 

In summary, the present FDA discussion paper is dedicated to cybersecurity matters in the context of servicing medical devices. It outlines the main aspects to be considered by the parties involved and provides an overview of the general cybersecurity principles and how they should be applied. The document also addresses certain specific issues related to servicing performed by non-OEM entities and risks associated thereto. 


How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple. ​