FDA releases guidance on post-market steps for improving medical device cybersecurity

From "poor cybersecurity hygiene" to "I need FDA permission to update this cybersecurity software," the number of trite excuses explaining why medical devices have been left unprotected from cyber-attacks keeps on growing.

The FDA took aim at the threat of routine computer viruses that slow down computerized equipment and the potential for a fatal, targeted attack against an individual's infusion pump (or other lifesaving device) by releasing its second draft guidance on ensuring medical device cybersecurity. This one emphasizes vigilant monitoring and remediation in the post-market setting, while the other focused on premarket regulations.

The latest set of instructions is in many ways more important, because, as the list of excuses suggest, the biggest need for improvement lies in the areas of routine maintenance and use of best practices, primarily at the hospital-level.

More details and clarifications will be presented at the agency's two-day public workshop on the topic to be held starting Wednesday at the FDA's Silver Spring, MD, headquarters.

In the guidance, the agency addressed one of the excuses directly, clarifying its stance on the requirement for advancement notification. It said they are not required for "cybersecurity routine updates or patches," but "for a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the agency," says a release explaining the guidance.

But if certain conditions are met, such as quick remediation and the absence of adverse events, the agency will not enforce its reporting requirements. The most interesting condition is the third one: participation in an Information Sharing Analysis Organization (ISAO).

President Obama encouraged the use of ISAOs in his Feb. 13, 2015 executive order on cybersecurity information sharing. A key feature of the organizations is that information shared "is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002," according to the draft guidance.

The FDA said it considers voluntary participation in an ISAO to be a "critical component of a medical device manufacturer's comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities."

The National Health Information Sharing & Analysis Center is an example of an ISAO. And the FDA has an agreement with the organization to encourage information-sharing about cybersecurity threats.

Also cited in the guidance was adoption of the voluntary "Framework for Improving Critical Infrastructure Cybersecurity" developed by the National Institute of Standards and Technology.

The FDA said cybersecurity risks and vulnerabilities should be the ease with which they can exploited, severity of the impact to health in the case that exploitation occurs. The guidance contains additional elaboration on the framework, such as ways of evaluating risk to essential clinical performance.

"All medical devices that use software and are connected to hospital and healthcare organizations' networks have vulnerabilities--some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA's device arm (CDRH), in a statement "Today's draft guidance will build on the FDA's existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market."

Exemplifying the growing risk and attention given to cybersecurity, the FDA last year told hospitals to stop using Hospira's Symbiq Infusion System because it can be remotely accessed by hackers, allowing an unauthorized user to control the device and change the dosages of drugs potentially lead to over- or under-infusion of critical patient therapies.

- read the release
- here's the guidance (PDF)