In recent years, there has been a vast increase in data breaches targeting health-care organizations. Cybersecurity threats and vulnerabilities in medical devices are evolving to become more sophisticated, which comes with new risks to patients and clinical operations that were not previously considered. While the U.S. Food and Drug Administration (FDA) has reported that it is not aware of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient, the risk of such an attack persists. Any cybersecurity attack on medical devices connected to a network can severely impact patients who are using those medical devices.
FDA has taken these potential threats seriously, and according to FDA Commissioner Scott Gottlieb, the agency “has been working to stay a step ahead of these changing cybersecurity vulnerabilities, including engaging with external stakeholders.” FDA believes that, by taking proactive steps, it can help ensure that the health-care sector is well positioned to preemptively respond when cybersecurity vulnerabilities are identified in FDA-regulated products. In particular, FDA, through its Center for Devices and Radiological Health (CDRH), has taken a holistic, systematic approach to building its medical device cybersecurity program, as well as establishing a platform that emphasizes the importance of shared responsibility by the industry and other stakeholders. CRDH’s medical device cybersecurity program launched in 2013 with the establishment of a Cybersecurity Working Group, created to respond to concerns and actively address the need for innovative approaches and policies in medical device cybersecurity. Soon after, FDA began to focus on cybersecurity regulatory considerations, mostly in the form of recommendations for product developers and manufacturers at “each stage of a product’s life cycle.”
FDA has been active in releasing guidance and collaborating with other stakeholders in an effort to ensure that the health-care sector is well positioned to proactively respond when cybersecurity vulnerabilities are identified in the products FDA oversees. Providing a foundation of mutual engagement and promoting cybersecurity readiness, FDA has taken substantial strides that include: (i) developing premarket guidance that addresses cybersecurity risks; (ii) developing postmarket guidance for continued protection of medical devices; (iii) announcing new “Information Sharing Analysis Organizations”; (iv) pursuing an enhanced cybersecurity partnership with the U.S. Department of Homeland Security (DHS); (v) supporting a cybersecurity “playbook” for health-care delivery organizations, as well as an internal FDA playbook to help its staff in addressing threats; (vi) seeking funding for a new digital health “center of excellence” that would include a cybersecurity unit; and (vii) releasing product-specific safety communications discussing cybersecurity vulnerabilities. As summarized in detail below, these actions provide clarity and support for the industry, particularly regarding interactions with FDA, implementation of cybersecurity procedures, and medical device product submissions and documentation.
Guidance on Premarket Submissions for Management of Cybersecurity in Medical Devices
Original 2014 Guidance:
FDA released guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, in October 2014 in an effort to assist industry by identifying issues related to cybersecurity that manufacturers should consider in their design and development of medical devices and in preparing premarket submissions for those devices. In this guidance, FDA encouraged medical device manufacturers to develop cybersecurity measures to reduce the likelihood that inadequate security would compromise device functionality, and to maintain the device’s integrity and safety. FDA also set forth its expectation that, as part of a premarket submission, a medical device manufacturer should provide documentation demonstrating how the manufacturer considered cybersecurity risks and effectively implemented security controls in its device design. Specifically, FDA encouraged manufacturers to address (i) identification of assets, threats, and vulnerabilities; (ii) assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; (iii) assessment of the likelihood of a threat and of a vulnerability being exploited; (iv) determination of risk levels and suitable mitigation strategies; and (v) assessment of residual risk and risk acceptance criteria. FDA also recommended that manufacturers follow five functions with respect to cybersecurity risks as set out in the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework): identify, protect, detect, respond, and recover. Under the NIST Framework: “identify and protect” consists of identifying the cybersecurity risks of the medical device when used in connection with the wireless network, the Internet, or other portable media, as well as appropriately implementing safeguards to protect against such risks. “Detect, respond, and recover” involves implementing features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use.
Updated 2018 Guidance:
Understanding the rapidly evolving nature of cybersecurity threats, FDA recently updated its guidance to reflect the current threat landscape to assist manufacturers in proactively addressing cybersecurity concerns when designing and developing their devices. On Oct. 18, 2018, FDA issued its highly anticipated draft revision to its existing premarket cybersecurity guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The draft 2018 guidance provides updated recommendations for device manufacturers on how they can better protect their products, and again leverages the (now updated) NIST Framework. Further, the 2018 guidance updates FDA recommendations on cybersecurity considerations for device design, labeling, and documentation that should be included in premarket submissions for agency approval of medical devices with cybersecurity risk (i.e., those capable of connecting to another device, network, or portable media).
Specifically, the guidance addresses design and development of medical devices by recommending that manufacturers: (i) employ a risk-based approach in the design and development of a device; (ii) take a holistic approach by assessing risk and mitigation throughout the product life cycle; (iii) ensure maintenance and continuity of critical device safety and essential performance; and (iv) promote the development of trustworthy devices to ensure continued safety and effectiveness. In its effort to clarify its premarket roadmap and help manufacturers consider cybersecurity in the design and development of their medical devices, FDA:
- Emphasizes risk analysis in cybersecurity safeguards and the design process, as well as software validation required by the Quality System Regulation (21 C.F.R. Part 820). These recommendations include a cybersecurity bill of materials to provide to customers, which presents the assets, threats, and vulnerabilities of a device to enable users to comprehend the potential impacts of those vulnerabilities in order to safely use and experience the full benefits of the device.
- Proposes defining two tiers of devices based on their cybersecurity risk. Tier 1, or “higher cybersecurity risk,” products include devices capable of connecting, either wired or wirelessly, to another medical or nonmedical product, or to a network or the Internet. Tier 2, or “standard cybersecurity risk,” is a catchall for medical devices that do not meet the criteria for Tier 1.
- Introduces the idea of design trustworthiness, which means that a device: (1) is reasonably secure from cybersecurity intrusion and misuse; (2) provides a reasonable level of availability, reliability, and correct operation; (3) is reasonably suited to performing intended functions; and (4) adheres to generally accepted security procedures.
- Provides a clearer roadmap to apply the NIST Framework in the application of FDA’s design expectations enabling detection, response, and recovery of impaired services or capabilities impaired from a cybersecurity incident.
- Further expands labeling documentation guidelines that lay out the cybersecurity risks for end users.
- Clarifies the cybersecurity documentation that should be provided in premarket medical device submissions to FDA.
Building on its previous guidance, according to FDA, the updated recommendations are meant to facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market. These recommendations are part of FDA’s total life cycle approach to device safety, meaning that manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure that patients are protected from cybersecurity threats.
The agency will conduct a public workshop for industry stakeholders on Jan. 29-30, 2019, to discuss the newly released draft guidance before it is finalized. FDA is also seeking stakeholder comments on the proposals in the guidance. All comments are due by March 18, 2019. Once effective, this guidance will replace the 2014 guidance.
Postmarket Management of Cybersecurity in Medical Devices
In 2016, FDA released its Postmarket Management of Cybersecurity in Medical Devices guidance, which outlines a risk-based framework for manufacturers to use to ensure they can quickly and adequately respond to new cybersecurity threats once a device is on the market. As with its premarket guidance, FDA’s postmarket guidance leverages the NIST Framework and encourages medical device manufacturers to adopt the NIST Framework’s five core functions discussed above.
In particular, the postmarket guidance emphasizes that manufacturers should: (1) institute mechanisms to monitor and detect cybersecurity vulnerabilities on their devices; (2) understand, assess, and detect the level of risk a vulnerability has to patient safety; (3) establish a working relationship with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities; and (4) institute mitigation actions to preemptively tackle cybersecurity issues before they can be exploited and cause harm to patients. The postmarket guidance also clarifies which changes to devices FDA considers routine updates and patches, as well as the circumstances in which FDA does not intend to enforce reporting requirements under 21 C.F.R. Part 806 for specific vulnerabilities with uncontrolled risk. Finally, FDA considers voluntary participation in an information sharing and analysis organization (ISAO) (discussed below) a critical component of a medical device manufacturer’s comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step toward assuring the ongoing safety and effectiveness of marketed medical devices. Central to these recommendations is FDA’s stated belief that medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks.
Use of ISAOs
FDA has expressed its philosophy that “cybersecurity is a challenge that can only be effectively addressed by a wide range of shareholders,” including not just medical device manufacturers, but also health-care delivery organizations and potential patients. The agency has attempted to bring stakeholders together by providing additional opportunities for manufacturers to share information via ISAOs. ISAOs are groups of experts that gather, analyze, and spread important information about cybersecurity threats. As seen in its postmarket cybersecurity guidance, FDA encourages participation in ISAOs through several means. As recently as Oct. 1, 2018, FDA announced two memoranda of understanding to support the creation of new ISAOs: MedISAO and Sensato-ISAO. FDA contends that this transparent sharing of information about emerging threats and potential vulnerabilities will ultimately help manufacturers address issues earlier and will result in more protection for patients. Communication among stakeholders is one of the core components of FDA’s take on managing risk and, as a result, FDA is likely to continue to facilitate open communication channels, like ISAOs, in addition to its guidance.
Collaboration With the Department of Homeland Security
On Oct. 16, 2018, FDA announced a formalized memorandum of agreement (MOA) with DHS to implement a new framework for greater collaboration between the two agencies for addressing cybersecurity in medical devices. The agreement is not the first time these agencies have teamed up to address cybersecurity concerns, as they have historically collaborated on many aspects of medical device cybersecurity, notably around coordination of vulnerability disclosures. This coordination assists medical device manufacturers that receive information from cybersecurity researchers about identified vulnerabilities in their products in a way that enables all parties to timely respond to potential threats. The agencies have also worked together on post action reviews of DHS-led exercises that simulate real world cybersecurity attacks and enable the government and stakeholders to practice and improve their responses to these threats.
Execution of this MOA formalizes the existing relationship between FDA and DHS, thereby further enhancing coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. The agencies contend that such collaboration can lead to more timely and robust responses to potential threats to patient safety, as well as the coordination of device testing when warranted. This should assist manufacturers in proactively responding to identified cybersecurity vulnerabilities. Under the MOA, DHS will continue to serve as the central medical device vulnerability coordination center and interface with appropriate stakeholders, including consulting with FDA for technical and clinical expertise regarding medical devices. FDA will continue to engage in regular, ad hoc, and emergency coordination calls with DHS and advise DHS regarding risks to patient health and the potential for harm posed by identified cybersecurity threats and vulnerabilities.
Medical Device Cybersecurity Playbook
Following recent cybersecurity attacks, FDA has responded with attempts to enhance health-care delivery organizations’ readiness and response mechanisms to incidents or exploits affecting medical devices. In this endeavor, FDA has sponsored and advised on the MITRE Corporation’s new guidance, Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (Playbook). The MITRE Corporation is a federally funded nonprofit research organization, and released the Playbook on Oct. 1, 2018, to help health-care delivery organizations better understand and prepare for potential cybersecurity incidents involving medical devices.
The Playbook provides a framework for providers to prepare for and respond to cybersecurity incidents involving medical devices, including maintaining the functionality of devices and protecting patient safety in the event of an incident. It lays out various steps for planning and responding to cybersecurity incidents and particularly focuses on how health-care delivery organizations should manage this process and collaborate with other stakeholders throughout the various stages of an incident. These steps consist of developing a medical device inventory and conducting training exercises.
Overall, the Playbook specifically focuses on cybersecurity threats impacting medical devices that could affect continuity of clinical operations for patient care, and aims to support regional incident preparedness and response activities to limit the potential impact on patient care and safety during a cybersecurity incident. The Playbook notes that it can be used by health-care delivery organizations without a medical device cybersecurity response plan or can be incorporated into existing incident response plans, although the Playbook acknowledges that many health-care delivery organizations will be unable to “execute all recommendations due to operational constraints.”
In addition, FDA recently announced the development of its own internal playbook to assist agency staff in addressing cybersecurity threats and vulnerabilities. According to FDA, the internal playbook establishes an effective and appropriate incident response plan that is flexible and clear, and should help the agency respond efficiently to medical device cybersecurity attacks, including mitigating the impact to devices, health-care systems, and ultimately, patients.
Center of Excellence for Digital Health
In FDA’s Fiscal Year 2019 Budget, the agency proposed to create a Center of Excellence for Digital Health to help establish more efficient regulatory paradigms, consider constructing new capacity to evaluate and recognize third-party certifiers, and support a cybersecurity unit to complement the advances in software-based devices. This new center would not only address cybersecurity issues pertaining to new health technologies but would also aim to resolve technical complications facing older medical devices. This new unit would establish a public-private multidisciplinary effort “to bring together a broad range of requisite expertise to serve as a resource for industry and the FDA to assess cybersecurity vulnerabilities and incidents and help identify effective solutions,” according to Gottlieb.
Product-Specific Safety Communications
In addition to the steps FDA has taken to address cybersecurity in medical devices generally, FDA has issued product-specific safety communications addressing cybersecurity vulnerabilities. On April 17, 2018, FDA issued a safety communication informing patients and health-care providers about the release of an additional firmware update to address premature battery depletion and confirmed cybersecurity vulnerabilities identified in implantable cardiac devices. On Oct. 11, 2018, FDA issued a safety communication informing patients and health-care providers about the release of a software update to address the cybersecurity vulnerabilities associated with implantable cardiac device programmers. The issues addressed in the communications were not due to specific patient injuries or deaths associated with cybersecurity incidents, nor did they result from specific cybersecurity targeting of devices or systems in clinical use. Rather, FDA made these communications in an effort to point out vulnerabilities that could allow unauthorized users to remotely access, control, and issue commands to devices, potentially leading to severe patient harm.
Are FDA’s Actions Enough?
While there has been considerable improvement in FDA’s medical device cybersecurity efforts, there is still room for growth. For example, the U.S. Department of Health and Human Services (HHS) Office of the Inspector General (OIG) has issued two recent reports regarding FDA’s cybersecurity measures. In September 2018, OIG published a report of its findings on FDA’s premarket review processes of networked medical devices. OIG concluded that, while FDA has begun to incorporate cybersecurity concerns as part of its review process, FDA should more thoroughly ensure that its cybersecurity review is systematic and consistent. OIG found that FDA could integrate cybersecurity more comprehensively into its premarket device review process in the form of pre-submission program meetings, revising the “Refuse-to-Accept” checklists to require cybersecurity documentation, and updating the “Smart” template to prompt cybersecurity questions.
In October 2018, OIG issued a report on FDA’s policies and procedures regarding postmarket cybersecurity risk to medical devices. This report evaluated the effectiveness of FDA’s plans and processes for timely communicating and addressing cybersecurity medical device compromises in the postmarket phase and found that FDA’s policies and procedures were insufficient for handling postmarket medical device cybersecurity events; according to OIG, FDA had not adequately tested its ability to respond to emergencies resulting from such events, and in two of 19 district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cybersecurity threats.
Many of the alleged deficiencies were present because the OIG fieldwork was conducted prior to many of FDA’s actions discussed above, and FDA disagreed with some of OIG’s conclusions (e.g., that pre-existing policies and procedures were insufficient). Overall, however, FDA agreed with OIG’s recommendations and affirmed that it had already begun implementing these recommendations (for example, through the issuance of its updated premarket guidance) and would continue working to implement the recommendations detailed in the reports.
FDA’s actions outlined above demonstrate the agency’s growing focus on cybersecurity and its goal to significantly enhance cybersecurity infrastructure and collaboration as medical devices continue to advance and integrate into vulnerable networks. FDA recognizes, as OIG has pointed out, that there is still room to grow and enhance its policies and recommendations for the industry to more effectively protect patients from cybersecurity threats. FDA outlined its growing commitment to digital health and medical device security in its Fiscal Year 2019 budget request, and has increased its digital focus since Gottlieb took office. According to Gottlieb, FDA is “committed to staying ahead of these risks and unscrupulous cybercriminals who may seek to use cybersecurity vulnerabilities in a way that puts patient lives in danger.” Stakeholders should expect to see continued and more robust action from FDA to increase awareness of cybersecurity vulnerabilities of medical devices and emphasize comprehensive planning around these risks in its efforts to protect patient safety.
Kimberly Gold is a partner in Reed Smith’s Life Sciences Healthy Industry Group, where she focuses her practice on regulatory, privacy, and cybersecurity issues affecting health-care and life sciences companies.
Robert Kantrowitz is an associate in Reed Smith’s Life Sciences Health Industry Group, where he focuses his practice on transactional, regulatory, data privacy, and cybersecurity matters for health-care and life sciences companies.