FDA Draft Guidance for Postmarket Management of Cybersecurity in Medical Devices Puts Manufacturers on Notice of Potential Cybersecurity Risks
This post also appears on Goldberg Segalla’s Product Liability Playbook blog.
On January 22, 2016, citing cybersecurity threats to medical devices as a growing concern, the United States Food and Drug Administration issued draft guidance for industry and FDA administration staff for postmarket management of cybersecurity in medical devices. Public comments on the draft guidance will be open for 90 days.
According to the FDA release, a growing number of medical devices are designed to be networked to improve and facilitate patient care. However, the FDA notes that networked medical devices incorporate software that may be vulnerable to cybersecurity threats, which may represent a risk to the safety and effectiveness of medical devices. The FDA notes that while manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving number of cyber threats means risks may arise throughout a device’s entire lifecycle. Cyber security training is becoming an inalienable part of any organization.
In 2014, a report by Parks and Associates predicted that unit sales of networked medical devices would exceed 14 billion units by 2018, a five-fold increase from 2012. These devices include weight scales, blood pressure monitors, glucometers, insulin pumps, ECGs, pulse oximeters, sleep apnea appliances, and home INR testing products. With this increase in the number of devices using new and ever-advancing technology, the impact on cybersecurity issues has become more complex. A 2015 paper by Williams and Woodward published in the journal Medical Devices cites a SANS institute report that indicated 94 percent of health care organizations have been the victim of a cyberattack, including attacks on medical devices. Williams and Woodward cite successful cyber-attacks on devices including insulin pumps and pacemakers, as well as a malware attack that affected US Department of Veterans Affairs medical devices running over a trusted network as proof that a cyber-attack could potentially affect networked medical devices from anywhere in the world.
The FDA draft guidance outlines post-market recommendations for medical device manufacturers, including the need proactively to plan for and assess cybersecurity vulnerabilities in their products. Specifically, the draft guidance recommends that manufacturers of medical devices should implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities, including deploying mitigations that address cybersecurity risk early and prior to exploitation.
While the draft guidance would not require agency notification or reporting under 21 CFR part 806 for routine updates or patches, vulnerabilities or exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death would require medical device manufacturers to notify the FDA.
Certainly, cybersecurity issues involving networked medical devices are not new. However, in “encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” the FDA is clearly putting manufacturers on notice that safeguarding against cybersecurity vulnerabilities in their products should be a priority.