In-brief: The FDA’s final guidance on cybersecurity for postmarket medical devicesmarks a departure from earlier drafts, focusing generically on cybersecurity risk management and jettisoning an early focus on the threat posed by “connected devices” that some considered too narrow.
The U.S. Food and Drug Administration (FDA) on Wednesday issued its final guidance for securing postmarket (or already released) medical devices, urging device makers to monitor, identify and address cyber security vulnerabilities and attacks that exploit them.
The document, which was published on the FDA’s web site, is the culmination of years of work and a series of public hearings and feedback from the public, including device makers, academics and cyber security professionals. It marks a departure from earlier drafts, focusing generically on cybersecurity risk management and jettisoning an early focus on the threat posed by “connected devices” that some considered too narrow.
Among other things, the post market guidance alerts device makers to the types of changes to medical devices warrant FDA notification. The release follows the publication of similar guidance on “premarket” medical devices (those that are still under development and have not yet been offered for sale) in 2014.
Like early drafts of the guidance, the final FDA guidance calls on medical device manufacturers to “implement comprehensive cybersecurity risk management programs” that include a way to handle complaints from customers and researchers, conduct quality audits of post market devices, perform software validation and risk analysis on medical devices and take corrective action to address known flaws.
[Read more Security Ledger coverage of medical devices here.]
Medical device manufacturers are advised to adopt a “coordinated vulnerability disclosure policy and practice” akin to what many software firms have implemented in recent years. Device makers are also urged to participate in an information sharing and analysis organization (ISAO) akin to those in the banking, energy and (more recently) automotive sectors. “Postmarket cybersecurity information may originate from an array of sources including independent security researchers, in-house testing, suppliers of software or hardware technology,” the document reads. “Sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful postmarket cybersecurity surveillance program.”
In other ways, the guidance is a departure from earlier drafts. Specifically, the FDA appears to have heeded calls from leading medical device researchers to broaden the scope of the guidance to focus generically on cybersecurity risk and de-emphasize specific, device-level protections that may cease to be relevant in the future. In a letter to The FDA in April, for example, Dr. Kevin Fu of The University of Michigan, an internationally recognized expert on the security of medical devices, urged the FDA to focus on outcomes rather than “the modality of an infection vector.”
Using an analogy from the medical world, Fu notes that epidemiologists don’t issue separate guidance for preventing influenza infections “by sneezing” versus “by cough.” The focus, in stead, is on outcomes: preventing influenza from spreading, period. A similar approach should be used to stop the spread of cyber security vulnerabilities and exploits, he said.
The FDA appears to have listened – at least somewhat. The final guidance term “cybersecurity risk” appears frequently in the document and segments from earlier drafts focused on securing devices have been changed to focus on addressing cybersecurity risk, more generally.
“The FDA clearly worked hard on the postmarket guidance,” Fu said in an email comment to Security Ledger. “The guidance… responds to many of the medical device security issues we highlighted in reports by the National Academies and the NIST Information Security and Privacy Advisory Board over the last six years.”
Fu said that the guidance will provide clarity to medical device makers on what is expected both in new products under development and from products that are being sold to healthcare organizations and the public. “Whether they like it or not, the C-suites now have much greater clarity on expectations for maintaining cybersecurity of a medical device,” Fu wrote. The FDA is scheduled to present its guidance and discuss its implications at an event in Florida in mid January.