On December 28, the U.S. Food and Drug Administration issued its “nonbinding recommendations” guidance for addressing post-market cybersecurity vulnerabilities in medical devices under the title “Postmarket Management of Cybersecurity in Medical Devices.” By its terms, the recommendations are for a “risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the Agency and outlines circumstances in which FDA does not intend to enforce reporting requirements.”
By its terms, the Guidance applies to: “1) medical devices that contain software (including firmware) or programmable logic, and 2) software that is a medical device, including mobile medical applications.” It applies to legacy devices, in addition to those going onto the market.
While the guidance states that it is a “nonbinding recommendation,” it represents the FDA’s recommendations to its own staff regarding the medical device community’s responsibilities to monitor, identify, and address cybersecurity threats to medical devices, including for emerging connected medical devices.
A few points in the guidance stand out in particular:
- A good cybersecurity risk management program includes: (1) monitoring cybersecurity information sources for identification and detection of risks; (2) maintaining robust software lifecycle processes that include monitoring third-party software, and verification and validation for software updates and patches; (3) establishing and communicating processes for vulnerability intake and handling; (4) using threat modeling; (5) adopting a coordinated vulnerability disclosure policy and practice; and (6) deploying mitigation strategies. The FDA recommends that manufacturers “incorporate elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity.”
- The guidance concedes that “medical devices and the surrounding network infrastructure cannot be completely secured.” However, the focus of the program is on “the safety and essential performance of their device, the resulting severity of patient harm if compromised, and the risk acceptance criteria.”
- The FDA further urges manufacturers to characterize cybersecurity vulnerabilities as “acceptable or unacceptable” and “controlled or uncontrolled.” Uncontrolled risks are those that are “present when there is unacceptable residual risk of patient harm due to insufficient risk mitigations and compensating controls.” While uncontrolled risks need to be reported to the consumers and the FDA, the FDA does not intend to enforce reporting requirements where: (1) there are no serious adverse effects, (2) the manufacturer provides interim and remediating controls with customers within 30 days, (3) the manufacturer fixes the vulnerability within 60 days, and (d) the manufacturer actively participates in an information sharing analysis organization (“ISAO”) that shares vulnerabilities and threats.
 Postmarket Management of Cybersecurity in Medical Devices, (FDA Dec. 28, 2016), available at: http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.
 Id., p. 4.
 Id., p. 8.
 Id., pp. 13-14.
 Id., p. 14.
 Id., p. 14.
 Id., p. 15.
 Id., Section VII.
 Id., pp. 8, 23.