This post was written by Kevin Madagan and Jennifer Pike.
The Food and Drug Administration (FDA) has announced the availability of a new draft guidance document entitled "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices." The draft guidance identifies cybersecurity issues that medical device manufacturers should consider in preparing premarket submissions for medical devices – including Premarket Notifications (510(k)), Premarket Approval Applications (PMA), Product Development Protocols (PDP), and Humanitarian Device Exemption (HDE) submissions– in order to provide effective cybersecurity management and to reduce the risk that device functionality is intentionally or unintentionally compromised. The draft guidance highlights the need for effective medical device cybersecurity given "the increasing use of wireless, Internet- and network-connected devices and the frequent electronic exchange of medical device-related health information."
FDA’s draft guidance relates to a recommendation by the Government Accountability Office (GAO) in August 2012 that FDA develop and implement a plan to expand its focus on information security risks, with a particular focus on security risks resulting from intentional threats (e.g., hacking, malware).
Comments on the draft guidance should be submitted in writing, or online at www.regulations.gov, by September 12, 2013.
In a related matter, FDA recently released two Safety Communications (available here and here) concerning cybersecurity for medical devices and hospital networks. The Safety Communications recommend that medical device manufacturers and health care facilities take steps to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical device and hospital networks. Specifically, the Safety Communications recommend the following:
- Device Manufacturers. Device manufacturers should "remain vigilant" about identifying risk and hazards and take "appropriate steps" to reduce the risk of device failure due to cyberattack. This includes reviewing cybersecurity practices and policies to "assure that appropriate safeguards are in place," such as:
--Taking steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks;
-- Protecting individual components from exploitation and developing strategies for active security protection appropriate for the device’s use environment;
-- Using design approaches that maintain a device’s critical functionality, even when security has been compromised ("fail-safe" modes); and
-- Providing methods for retention and recovery after an incident where security has been compromised.
- Hospital Networks/Health Care Facilities. Hospital networks and health care facilities should evaluate their network security and take steps to protect the network. This includes:
-- Restricting unauthorized access to the network and networked medical devices;
-- Making certain appropriate antivirus software and firewalls are up-to-date;
-- Monitoring network activity for unauthorized use;
-- Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services;
-- Contacting the specific device manufacturer if a cybersecurity problem related to a medical device is suspected; and
-- Developing and evaluating strategies to maintain critical functionality during adverse conditions.
Reed Smith will be issuing additional updates in the near future about these recent cybersecurity developments.