US FDA Medical Device Cybersecurity Policy Takes Shape
The US Food and Drug Administration has published final guidance on cybersecurity controls manufactures should build into their medical devices in order to ensure proper safety and functionality—and to meet premarket review scrutiny.
The new guidance applies to all major US premarket submissions including 510(k) premarket notifications, premarket approval (PMA) applications, de novo and product development protocol (PDP) submissions, and Humanitarian Device Exemption (HDE) submissions.
According to the guidance, FDA reviewers expect manufacturers to develop cybersecurity measures during their products’ design and development phases; such measures should address issues including:
- Identifying assets, threats and vulnerabilities of the device
- Assessing how those threats and vulnerabilities would affect users or patients as well as device functionality
- The likelihood of an identified threat or vulnerability being exploited
- Determining risk levels and appropriate mitigation processes
- Assessing residual risks as well as risk acceptance criteria
Factors affecting elements of a device cybersecurity system
The FDA does distinguish between devices more prone to cybersecurity breaches—products with wireless connections to other devices—than others, and recommends that manufacturers of such devices build stronger cybersecurity controls to address potential risks.
A manufacturer should consider issues such as its device’s intended use, whether and how it uses electronic data interfaces, and the extent of harm a patient or user would experience in the event of the device’s cybersecurity breach. However, manufacturers should also make sure any security measures built into their devices do not impair their products’ intended uses—this recommendation is particularly targeted to devices designed for use in emergency or critical situations.
Examples of cybersecurity measures for devices mentioned in the guidance include limiting access via user authentication, ensuring secure data transfers and encryption, and tools to detect security breaches and warn users.
Documentation to include in premarket submissions
Going forward, FDA reviewers will want to see proof of registrants’ cybersecurity controls in their premarket submission documentation. So what should manufacturers include in their documentation? The following:
- Hazard analysis and design considerations related to the device’s cybersecurity risks
- Traceability matrices linking cybersecurity controls to identified cybersecurity risks
- Summarized plan for providing software updates and patches throughout the device’s lifecycle
- Summary of controls to ensure device software will maintain its integrity during the development process
- Instructions for use and recommended security controls such as anti-virus software and firewalls
Special considerations for medical app developers
Although the new FDA guidance does not specifically mention mobile medical application and telehealth product developers, the agency’s recommendations obviously have significant impact on such firms whose apps are regulated as devices.
In light of recent security breaches involving personal photos of celebrities stored on cloud servers, medical app developers whose products rely on cloud storage for patient or performance data should also consider the potential ramifications if they were to experience a similar breach. Are the risks of utilizing cloud servers for sensitive medical information worth taking, or should developers use more secure—but more expensive—storage options? Again, the FDA’s cybersecurity guidance does not directly address this issue, but given the agency’s plans for a nationwide health IT framework in coordination with the Federal Communications Commission (FCC), developers should anticipate greater interest from regulators in data storage practices as part of a broader approach to mobile medical technologies.