With incursions on cybersecurity occurring daily across a variety of platforms, cybersecurity risks are top of mind for FDA and for the device industry.
In January, FDA released a new draft guidance document addressing the postmarket obligations of medical device manufacturers to monitor, identify, and address cybersecurity vulnerabilities throughout the product lifecycle. According to the guidance, exploitation of such vulnerabilities could compromise device safety and effectiveness. As a result, FDA takes the view that cybersecurity triggers a number of requirements for device manufacturers, applying the agency’s longstanding regulatory framework to an evolving risk environment.
The draft guidance follows FDA’s October 2, 2014 issuance of Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (the Premarket Cybersecurity Guidance). Both documents attempt to respond to Obama Administration directives issued in 2013 to strengthen the security and resilience of critical US infrastructure against physical and cyber threats.
The new draft guidance applies to (1) medical devices that contain software (including firmware) or programmable logic, and (2) software that is a medical device.
FDA lays out and defines “vulnerabilities” that could be “exploited” by cybersecurity “threats.” A “vulnerability” is a weakness in a system, security procedure, control, or implementation that leaves IT open to exploitation by a “threat.” An "exploit" means that − either intentionally or accidentally − the vulnerability has been exercised “and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system.” "Threats" are circumstances or events with the potential to adversely impact “the essential clinical performance of the device, organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations.”
There is much to consider in FDA’s draft guidance, and comments on the draft guidance must be submitted by April 21, 2016.
Continue reading to learn more about what the draft guidance may mean for you.
KEY FDA MESSAGES TO DEVICE MANUFACTURERS
Premarket controls alone are not enough.
The draft guidance underscores FDA’s view that cybersecurity risks cannot be mitigated solely through premarket controls. Although the guidance encourages manufacturers to consider cybersecurity risks during the premarketing phases of development, and references the earlier Premarket Cybersecurity Guidance, the new draft guidance focuses on key postmarketing responsibilities of manufacturers − namely, the Quality System Regulation (QSR), Part 806 Reports of Corrections and Removals, and PMA and 510(k) reporting and filing obligations − to prevent and rapidly respond to cybersecurity threats.
Patient safety remains paramount.
The draft guidance also reflects, however, that “the presence of a vulnerability does not necessarily trigger patient safety concerns.” FDA defines and applies the concept of “essential clinical performance”: “Essential clinical performance means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm.” This concept runs through the guidance and FDA’s proposed application of regulatory standards to cybersecurity issues, and FDA emphasizes that “when defining essential clinical performance, manufacturers should consider the requirements necessary to achieve device safety and effectiveness.”
FDA advises that manufacturers should clearly define essential clinical performance for their products in order to develop mitigation strategies to protect, respond and recover from a cybersecurity risk. FDA anticipates, however, that only a “small subset” of cybersecurity vulnerabilities and exploits will actually compromise the essential clinical performance of a device and trigger the need for notification to FDA.
Vulnerabilities that do not appear to currently affect essential clinical performance should be assessed by the manufacturer for future impact, but won’t require the same response.
FDA is most concerned about uncontrolled risk to essential clinical performance, as discussed further below.
Your existing FDA compliance processes should be reviewed through the cybersecurity lens.
- QSR: FDA flags a number of QSR touchpoints for cybersecurity risk management programs and documentation, including: complaint handling, quality audit, corrective and preventive action (CAPA), software validation and risk analysis, and servicing. Overall, FDA has indicated it will be looking for manufacturers to demonstrate a “structured and systematic approach” to risk management under the QSR. FDA recommends that manufacturers incorporate into their risk management programs elements consistent with the NSIT Framework for Improving Critical Infrastructure Cybersecurity (Identify, Protect, Detect, Respond, Recover), and in an Appendix to the draft guidance FDA offers what it believes to be “Elements of an Effective Postmarket Cybersecurity Program.”
- Part 806: Device companies face the ongoing challenge of determining when a change they’ve made to a product will be viewed in the vein of “continuous improvement,” as just an “enhancement.” FDA will agree that an action was an “enhancement” if it agrees the change was not made to “fix” a violation of FDA law. If, to the contrary, FDA deems the action as a “correction” made to remedy a shortcoming − an FDA violation or health risk − it will say the company was required to report the incident under the Part 806 process. (FDA spoke to this issue in final guidance on Distinguishing Medical Device Recalls from Medical Device Enhancements, October 15, 2014.) In this latest cybersecurity guidance, FDA states that “for the majority of cases” what it calls “cybersecurity routine updates or patches” will not trigger Part 806 reporting as a correction. FDA will typically consider changes that are made solely to strengthen cybersecurity to be “device enhancements” and thus not reportable. That said, FDA leaves open the possibility that changes made to prevent or remedy certain cybersecurity vulnerabilities and exploits will trigger notification to FDA under Part 806. For example, changes made or other actions taken to address “uncontrolled risk” to “essential clinical performance” would generally be subject to Section 806 reporting requirements. The guidance states, however, that FDA does not intend to enforce reporting requirements in such a scenario if:
- There are no known serious adverse events or deaths associated with the vulnerability
- Within 30 days of learning of the problem, the manufacturer’s changes or compensating controls bring the residual risk to an acceptable level
- Within 30 days of learning of the problem, the manufacturer notifies users and
- The manufacturer is a participating member of an Information Sharing Analysis Organization (ISAO – discussed further below).
This aspect of the guidance both incentivizes companies to participate in ISAOs, and to respond quickly to, and report to users, fixes to security vulnerabilities.
- PMA reporting, and assessing the need for New PMA and 510(k) submissions: The draft guidance advises that, for PMA devices, newly acquired information about cybersecurity risks and changes made as part of “routine updates and patches” should be included in annual reports. The draft guidance offers recommendations for presenting this information in reports. As is true for changes in other contexts, the guidance makes clear that manufacturers should, for any cybersecurity-related device change, assess whether such change triggers the need to submit a PMA supplement or a new 510(k) for the modified device.
FDA will “incentivize” stakeholder collaboration.
FDA’s draft guidance acknowledges the “networked” nature of more and more devices, and correctly describes cybersecurity as a “shared responsibility” with stakeholders, including many of whom FDA does not regulate. FDA seeks to encourage collaboration by making recommendations to those stakeholders that it does regulate. FDA strongly encourages medical device manufacturers to participate in ISAOs, and is creating an incentive, by making reduced Part 806 enforcement contingent upon a manufacturer’s participation, as explained above.
KEY CONSIDERATIONS FOR MANUFACTURERS
FDA’s lengthy (25 page) draft guidance includes a great deal of aspirational discussion about cooperation, and 11 newly defined terms. Device manufacturers should carefully review the implications of the draft guidance on their postmarketing compliance programs, and consider submitting comments to the agency.
We encourage device manufacturers and others who may be affected by the draft guidance to contact any of the authors for assistance with assessing its potential business implications and submitting comments to FDA. Find out more about our FDA Regulatory practice here.