While healthcare providers and medical device manufacturers often disagree on their relative responsibility for cybersecurity matters, FDA takes the position that cybersecurity risk management is a shared duty among stakeholders including the device manufacturer, users, the Information Technology (IT) system integrator, health IT developers and IT vendors that provide products that are not regulated by FDA. The guidance recognizes that failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats, any of which may ultimately have the potential to result in patient illness, injury or death.
The draft recommends that manufacturers take a proactive, risk-based approach to cybersecurity, consistent with the QSR, by:
- Developing, documenting and implementing a structured and systematic comprehensive cybersecurity risk management program consistent with the 2014 NIST Voluntary Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond and Recover);
- Engaging in cybersecurity information sharing and monitoring, including through participation in an Information Sharing Analysis Organization (ISAO), which is a group that shares information on critical infrastructure information across industries in the private sector as well as between the private sector and government to help prevent, detect, mitigate or recover from cyber threats; and
- Performing routine device cybersecurity maintenance, including “routine updates and patches.”
A key component of cybersecurity vulnerability assessment is identifying “essential clinical performance,” a term introduced in the draft and defined as “the performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer.” According to FDA, identifying essential clinical performance involves considering the requirements necessary to achieve device safety and effectiveness. “Risk” is further bifurcated into (1) “controlled risk,” which is “present when there is sufficiently low (acceptable) residual risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability,” and (2) “uncontrolled risk,” which is “present when there is unacceptable residual risk that the device’s essential clinical performance could be compromised due to insufficient compensating controls and risk mitigations.” The draft provides a number of recommendations for, and examples of, both controlled and uncontrolled risks.
FDA recently demonstrated its willingness to intervene if it determines that a device with an uncontrolled cybersecurity vulnerability poses an unacceptable risk to patients. Last July, FDA took the extraordinary measure of alerting hospitals that the Symbiq Infusion System was vulnerable to exploitation by hackers and recommending that hospitals discontinue using the device. The device manufacturer and an independent researcher had confirmed that the device could be accessed remotely through a hospital’s network, which could permit an unauthorized user to remotely control the device and change dosage settings, potentially leading to over- or under-infusion.
The draft explains that, when an uncontrolled risk is swiftly addressed in a manner that adequately reduces the risk, and when certain other conditions are met, FDA will not enforce urgent reporting of the vulnerability under 21 CFR part 806. For FDA to exercise this enforcement discretion, all of the following criteria must be met:
- There are no known serious adverse events or deaths associated with the vulnerability;
- Within thirty days of learning of the vulnerability, the manufacturer identifies and implements device changes or external safeguards to reduce the residual risk to an acceptable level; and
- The manufacturer voluntarily participates in an ISAO.
This final criterion, voluntary participation in an ISAO, illustrates that FDA expects device manufacturers to take a proactive approach to cybersecurity by learning from other industries how to identify and mitigate cyber risk to develop best practices and by communicating information pertaining to potential cybersecurity threats to other stakeholders.
The draft guidance is part of FDA’s ongoing effort to ensure the safety and effectiveness of medical devices in the face of potential cyber threats through all stages of the product lifecycle consistent with the QSR. It follows Executive Order 13636 – Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive 21, which called upon stakeholders in the public and private sectors to strengthen critical cybersecurity infrastructure. As part of these efforts, FDA also released a final guidance in October 2014 entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
+1 202 736 8803
+1 202 736 8132
+1 202 736 8381
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.