The United States Food and Drug Administration (“FDA”) recently released its Dec. 28, 2016, final guidance titled, “Postmarket Management of Cybersecurity in Medical Devices; Guidance for Industry and Food and Drug Administration Staff.”  This guidance informs industry and FDA staff of FDA’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices. Such devices include the following: (1) medical devices that contain software (including firmware) or programmable logic, (2) software that is a medical device, including mobile medical applications, (3) medical devices that are considered part of an interoperable system, and (4) legacy devices that are already on the market or in use.
Overview of Cybersecurity Risk Management
In this final guidance, the FDA makes clear that medical device manufacturers must manage cybersecurity risks throughout the entire lifecycle of the medical device. Additionally, manufacturers must have cybersecurity risk management programs that address vulnerabilities, particularly those which may result in patient harm.
The cybersecurity risk management program should include the “[m]onitoring of cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk” and “[m]aintaining robust software lifecycle processes that include…monitoring third party software components for new vulnerabilities…[and]…design verification and validation for software updates and patches that are used to remediate vulnerabilities, including those related to Off-the-shelf software[.]”  Manufacturers also need to define the safety and essential performance of the medical device, the resulting severity of patient harm if the medical device is compromised, and the criteria for risk acceptance. In implementing the cybersecurity risk management program, the manufacturer may wish to consider adopting the principles found in the NIST Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). 
Defined Process for Cybersecurity Risk Management
The FDA recommends that manufacturers have a defined process for systematically conducting a risk evaluation to determine whether a cybersecurity vulnerability presents a controlled (i.e., acceptable) or an uncontrolled (i.e., unacceptable) risk. In so doing, the FDA recommends that this process focus on assessing the risk of patient harm by considering the following factors: (1) the exploitability (intentionally or unintentionally) of the cybersecurity vulnerability,  and (2) the severity of patient harm in the event of successful exploitation of the vulnerability.
In assessing the severity of patient harm, the FDA suggests an approach based upon qualitative security levels as set forth in ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices: negligible (inconvenience or temporary discomfort), minor (temporary injury or impairment), serious (injury or impairment requiring medical intervention), critical (permanent impairment or life-threatening injury), and catastrophic (patient death). 
In terms of evaluating the risk of patient harm, the FDA recommends that manufacturers use a matrix with combinations of exploitability and severity of patient harm to determine whether the risk is a controlled (i.e., acceptable) or uncontrolled (i.e., unacceptable) risk. An example of such a matrix is reproduced below from page 18 of the FDA guidance.
Determination of Controlled or Uncontrolled Risks
The exploitability of an identified vulnerability and the severity of patient harm can help determine the risk of harm to the patient and may be categorized as a controlled (i.e., acceptable risk) or an uncontrolled (i.e., unacceptable risk). As explained in the FDA guidance, a “[c]ontrolled risk” is “present when there is a sufficiently low (acceptable) residual risk of patient harm due to the vulnerability.”  But, even when the risk is controlled, the FDA recommends that manufacturers proactively promote cyber hygiene to reduce cybersecurity risks. The FDA sets forth in its guidance examples of vulnerabilities associated with controlled risk and management of such risk on pages 20 to 21. In essence, a manufacturer may determine that the risk of patient harm due to a vulnerability is controlled if the medical device’s safety and essential performance is not and would not be impacted. 
By the same token, uncontrolled risk exists when there is an unacceptable residual risk of patient harm, due to insufficient risk mitigation and compensating controls.  If the risk of patient harm is assessed by the manufacturer as an uncontrolled risk, then additional risk control measures should be applied. Further, such uncontrolled risks should be remediated as quickly as possible. For example, manufacturers should remediate the vulnerabilities to reduce the risk of patient harm to an acceptable level. Additionally, customers and the user community should be provided with information on recommended controls and residual cybersecurity risks so that appropriate steps can be taken to mitigate the risk. 
Active Participation in an Information Sharing and Analysis Organization
Whether controlled or uncontrolled risks exist in the medical device, the FDA recommends that manufacturers actively participate in an information sharing and analysis organization (“ISAO”), such as the National Health Information Sharing and Analysis Center (“NH-ISAC”). Active participation includes sharing vulnerability information with the ISAO and having documented processes for assessing and responding to vulnerability and threat intelligence information received from the ISAO.
In summary, the FDA has made clear in its guidance that addressing medical device vulnerabilities is not optional and must be done. The FDA recommends that medical device manufacturers adopt the Framework to manage risks. Finally, the FDA also emphasizes the need to manage such risks in view of risk of harm to the patient.
- See http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf.
- See id. at 13. See also 21 CFR Part 820.
- NIST recently released draft version 1.1 of the Framework. See https://www.nist.gov/cyberframework/draft-version-11.
- The FDA suggests that manufacturers use a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need and urgency for the response. One example of such a tool is the Common Vulnerability Scoring System. See https://www.first.org/cvss. Other resources include the NIST Vulnerability Database and the Common Vulnerabilities and Exposures catalog. See https://nvd.nist.gov/ and https://cve.mitre.org/.
- The FDA notes that these parenthetical descriptions are “possible descriptions.” See supra note 1 at 17.
- See id. at 19. The FDA guidance further states that cybersecurity routine updates and patches, which are used to strengthen cybersecurity are typically considered device enhancements, are generally not required to be reported, under 21 CFR Part 806.
- “Essential performance” is the “performance of a clinical function, other than that related to basic safety, where loss or degradation beyond the limits specified by the manufacturer results in an unacceptable risk.” Id. at 5 (quoting ANSI/AAMI ES60601-1:2005/(R)2012 and A1:2012, C1:2009/(R)2012 and A2:2010/(R)2012 (Consolidated Text) Medical electrical equipment— Part 1: General requirements for basic safety and essential performance (IEC 60601-1:2005, MOD), section 3.27)).
- “A cybersecurity compensating control is a safeguard or countermeasure deployed, in lieu of, or in the absence of controls designed in by a device manufacturer. These controls are external to the device design, configurable in the field, employed by a user, and provide supplementary or comparable cyber protection for a medical device.” Id. at 9 (citing NIST Special Publication No. 800-53A Rev. 4).
- The FDA notes that manufacturers must report such vulnerabilities to the FDA as set forth in 21 CFR Part 806, unless reported under 21 CFR Parts 803 or 1004. See id. at 22.