The U.S. Food & Drug Administration (FDA) has issued guidance setting forth its current thinking on issues related to cybersecurity of medical devices.
Because medical devices increasingly store or transmit sensitive patient health information, there are increased security risks of unauthorized access, modification, misuse or denial of use, or the unauthorized use of this information. Medical devices that connect to other devices or to the Internet or which have USB or other data ports are especially vulnerable. The FDA notes that “[f]ailure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.”On October 1, 2014, the FDA advised manufacturers of medical devices to address cybersecurity during the initial design of the devices in order to reduce the risk of health information being compromised by inadequate cybersecurity later. It also advises manufacturers to consider cybersecurity in preparing premarket submissions for FDA-approval of those devices.
Manufacturers should develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety. The FDA believes that manufacturers are required to establish a cybersecurity vulnerability and management approach by federal regulation at 21 C.F.R. § 820.30(g). This regulation requires “design validation” by a manufacturer to ensure that devices “conform to defined user needs and intended uses” through “software validation and risk analysis, where appropriate.” The FDA recommends this approach should address the following elements:
• Identification of assets, threats, and vulnerabilities;
• Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
• Assessment of the likelihood of a threat and of a vulnerability being exploited;
• Determination of risk levels and suitable mitigation strategies;
• Assessment of residual risk and risk acceptance criteria.
The recommendations contained in this guidance supplements FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” and “Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”.