The FDA represents the latest federal agency to show a focus on cybersecurity issues with the release December 28 of new guidance. While the prospect of network-enabled medical devices increasingly offers the promise of improved care and patient treatment, evolving technology and new-found connectivity present emerging security considerations as well.
The Food and Drug Administration issued final nonbinding recommendations for industry and FDA staff on Postmarket Management of Cybersecurity in Medical Devices. The 30-page guidance particularly flagged the need to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device. It also supported rigorous risk-assessment programs to measure the potential impact of vulnerabilities on patient safety.
The recommendations represent FDA’s current thinking on the issue and do not bind FDA or the public. FDA is responsible for reviewing, approving, and regulating medical products, including pharmaceutical drugs and medical devices, as well as food, cosmetics, and other products.
As part of its recommendations, FDA encouraged the use and adoption of the voluntary “Framework for Improving Critical Infrastructure Cybersecurity” issued by the National Institute of Standards and Technology. Under that framework, manufacturers “Identify, Protect, Detect, Respond and Recover” throughout the lifecycle of the product.
Other recommendations included implementing comprehensive cybersecurity risk management programs and documentation (such as complaint handling), threat modeling, and focusing on assessing the risk of patient harm by considering the exploitability of the vulnerability and the severity of patient harm should the vulnerability be exploited. The guidance provides details on how risk assessment may be deployed.
FDA also clarified the circumstances under which it would require that companies notify the agency of actions taken to correct device cybersecurity vulnerabilities under 21 CFR part 806. Additionally, for Premarket Approval devices with periodic reporting requirements, FDA recommended that certain information regarding cybersecurity vulnerabilities and resulting device changes should be included in the reports to the agency.
Government agencies are increasingly focused on cybersecurity, and FDA follows in the path of agencies, including NIST, as discussed above, as well as the Federal Trade Commission, in releasing nonbinding guidance on how to assess and respond to vulnerabilities. Though these recommendations are voluntary, the federal government is steadily building a baseline of its expectations for industry, and it will consider these expectations when investigating industry practices.
See a previous post on our sister blog, Drug & Device Law, here.