Cybersecurity threats to medical devices are a growing concern as an increasing number of medical devices are designed to be networked together, either wirelessly or by wired infrastructure, to facilitate patient care. Due to this, the U.S. Food and Drug Administration (FDA) encourages medical device manufacturers to remain vigilant, throughout a device’s total product lifecycle, to maintain an adequate degree of protection against potential cybersecurity threats.
On January 22, 2016, the FDA issued a new draft guidance regarding post-market management of cybersecurity in medical devices. The guidance provides the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market. The key principles of the new guidance are that cybersecurity management in medical devices:
- Is a shared responsibility, requiring a collaborative approach
- Should be addressed during the design and development of the medical device
- Should align with Presidential EOs and NIST framework
- Should be part of software validation and risk management
To the FDA, examination of cybersecurity should be part of any device’s risk management program. Proactive cybersecurity management is considered a shared responsibility among stakeholders, which include the medical device manufacturer, the user, the information technology (IT) system integrator, health IT development and other IT vendors that provide products that integrate with devices. The FDA encourages collaboration among the stakeholders and provides clarifications within the guidance on recommendations related to the mitigation of cybersecurity threats. The agency now also encourages the use and adoption of the National Institute of Standards and Technology (NIST)‘s “Framework for Improving Critical Infrastructure Cybersecurity” that consists of 5 core functions: identify, protect, detect, respond and recover.
In order for the FDA and industry to gain further insight into medical device cybersecurity, the FDA, in collaboration with the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services (DHHS), and the Department of Homeland Security, held a public workshop in January. This workshop brought together a diverse group of stakeholders to discuss the complex challenges in medical device cybersecurity that impact the medical device ecosystem. The key topics of discussion during this workshop were:
- The new Information Sharing Analysis Organisations (ISAOs), established by Executive Order in February 2015, to promote private sector cybersecurity information sharing
- The cyber threat landscape within the healthcare and public health sector
- Overcoming challenges manufacturers face with increased cybersecurity collaboration
- Gaining situational awareness of current activities in the healthcare and public health sectors to enhance medical device cybersecurity
- Risk assessment tools for the medical device operational environment
- Adapting and/or implementing medical device cybersecurity standards
Both the guidance and the results of the workshop support the principle that medical device cybersecurity requires a total product life cycle approach and collaboration among multiple stakeholders. Risk management is essential to cybersecurity management and must include the assessment of the exploitability of any cybersecurity vulnerabilities, the assessment of the severity of impact to patient safety/health, and the evaluation of the risk to essential clinical performance.
In alignment with this new guidance from the FDA, ICON will continue to recommend that clients incorporate the management of cybersecurity risks into their risk management program and will encourage clients to consider using a cybersecurity vulnerability assessment tool and engage with an ISAO. ICON can assist clients in the development of cybersecurity programs that proactively control cybersecurity risk. These solutions are device-specific but typically include removing cybersecurity vulnerabilities or instructing users to incorporate a compensating control as an external safeguard.To learn more, please contact ICON at www.iconplc.com/devices
JoAnne L. Bronikowski, BS, RAC
Sr. Manager, Regulatory Affairs
ICON Medical Device Regulatory Services