FDA lays out postmarket medical device cybersecurity recs in final guidance

As our world becomes more interconnected, so do our medical devices: we are connecting devices such as insulin pumps and glucose meters to apps, some of which also have cloud connectivity, enabling patients to share their health data with caregivers and loved ones. But this increased interconnectivity comes with vulnerability to cybersecurity threats.

The FDA published its final guidance on the postmarket management of cybersecurity in medical devices last week. The recommendations apply to medical devices that use software, including programmable logic and software that is regulated as a medical device, including mobile medical apps. The document follows the agency’s final guidance on premarket cybersecurity for medical devices issued in 2014.

"Because cybersecurity risks to medical devices are continually evolving, it is not possible to completely mitigate risks through premarket controls alone,” the FDA said in the guidance. “Therefore, it is essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with the Quality System Regulation (21 CFR part 820).”

A postmarket cybersecurity program would include the following, the FDA said:

  • Monitoring cybersecurity information sources that can help devicemakers identify and detect cybersecurity vulnerabilities and risk
  • Maintaining software life-cycle processes that include:
    • The monitoring of third-party software components for new vulnerabilities
    • Design verification and validation for software updates and patches that are used to address vulnerabilities
  • Using threat modeling to determine how to maintain the safety and essential performance of a device
  • Deploying mitigations that deal with cybersecurity vulnerabilities early and before they are exploited.

A key recommendation is devicemakers’ participation in information sharing analysis organizations, which gather and evaluate information to improve understanding of cybersecurity risks and disseminate that knowledge to help stakeholders identify, prevent, mitigate or recover from threats.

The FDA makes a distinction between controlled and uncontrolled risk: the former refers to the presence of a sufficiently low and acceptable residual risk of patient harm due to a vulnerability, while the latter refers to an unacceptable residual risk of patient harm because of inadequate risk mitigations. In the case of uncontrolled risk, the FDA recommends additional remediation, while the agency will not enforce reporting of device enhancements, such as updates or patches, that address vulnerabilities associated with controlled risk.

“Today’s postmarket guidance recognizes today’s reality—cybersecurity threats are real, ever-present, and continuously changing,” said Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, in a blog post. “In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety. And as hackers become more sophisticated, these cybersecurity risks will evolve.”