Patient Safety in the Regulatory Spotlight
On Oct. 1st, the FDA released final guidance on “Content of Premarket Submission for Management of Cybersecurity in Medical Devices.” The document had previously been published as a draft version (June 2013), after public comment this final version has been issued. Symantec had submitted review comments and we applaud the FDA on finalizing this important document.
What does the document address?
Overall, the FDA maintained the approach of the initial draft, laying out how manufacturers should consider cybersecurity in the design of network-connected medical devices and that they should make cybersecurity documentation a part of their premarket submission. The document has become more specific in some areas, for example by referencing a list of FDA-recognized standards, but also by specifically referring to patient safety as one of the main drivers behind this guidance.
What it means for Medical Device Manufacturers?
Although a guidance document does not establish legally enforceable responsibilities, it does describe the Agency's current thinking on a topic. Manufacturers will realize that device cybersecurity will increasingly become an issue in the FDA's premarket submission process and will eventually result in regulatory scrutiny and/or legal enforcement. I am aware of several manufacturers which have already committed themselves to complying with the guidance.
What it means for Healthcare Organizations?
Networked medical devices are exposed to the same cyber threats as any other IT component. However, due to long product life, slow patch deployment, and limitations for using anti-malware software, they are typically much more vulnerable. Security researchers have demonstrated that medical devices are easy pray, although to date no targeted attacks on medical devices out of malicious or criminal intent have been documented. But what is a persistent and common problem is the unintentional infection of poorly protected devices by common malware introduced via the network or via storage media, e.g. USBs. The impact on healthcare providers is significant on an operational and financial level as it results in equipment downtime with outbreaks often spreading rapidly across multiple devices of the same configuration and patch level, many times impacting patient care across entire departments.
What the FDA is recommending:
The need for effective cybersecurity to assure medical device functionality and safety has become increasingly apparent and should be taken seriously by all stakeholders. The FDA is recommending that manufacturers include the following types of information in their premarket submission starting Oct. 1st, 2014:
- A justification of the security functions chosen;
- A list of cybersecurity risks considered;
- A matrix mapping risks to the appropriate controls;
- A systematic plan for providing patches and updates to operating system and device software.
Besides the actual security considerations, emphasis is also given to the fact that the device’s cybersecurity properties should be documented and communicated to the operator of the device.
In support of the guidance document the FDA will hold a public webinar on October 29th, 2014. Further, in cooperation with the Department of Homeland Security and the Department of Health and Human Services, the FDA will be holding a public meeting: "Collaborative Approaches for Medical Device and Healthcare Cybersecurity" with the goal of encouraging collaboration among stakeholders, identifying challenges and discussing strategies and best practices for promoting medical device cybersecurity.
Should you have any questions on this topic, please feel free to contact me.