Software Integrity

 

FDA clarifies medical device security

Hoping to end manufacturer responsibility around the issuance of software updates for medical devices, and whether or not such updates change the device’s compliance status, the Food & Drug Administration (FDA) last Friday released a new draft document that also calls for greater collaboration among medical device manufacturers around cybersecurity in general. The document looks at both pre-market considerations as well as post-market considerations for the mitigation of patient risk when improving the security posture of their products.

The document follows an increasing occurrence of medical devices hacks affecting drug pumps, pacemakers, and even hospital equipment within the last few years.

Part of the problem has been that once a medical device has passed FDA approval for use in the United States, manufacturers have been loath to make additional changes to the device, even if it is only a security update, for fear that it would require the device be re-tested by the FDA. To clarify, the FDA now says changes made by manufacturers to existing software to enhance security without affecting its clinical use would be categorized as “cybersecurity routine updates or patches.” If so, then the FDA doesn’t require advance notification or reporting. On the other hand, any software update or patch that might compromise the “clinical performance of a device” and “present a reasonable probability of serious adverse health consequences or death,” does require FDA notification.

Illustrating the criteria for making these determinations, the draft walks manufacturers through a variety of scenarios where the medical device manufacturer either learns of a vulnerability from the security community or as the result of a “serious adverse event” or patient death. The draft document also walks through scenarios when a manufacturer would not be required to file a report under 21 CFR part 806 and/or meet reporting requirements under 21 CFR part 803.

This new draft document, which applies to medical devices that contain software (including firmware) or programmable logic and also covers software that is by itself a medical device, is meant to supplement the FDA document “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.” It also makes mentions of existing documents Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and the Framework for Improving Critical Infrastructure from the National Institute of Standards and Technology (NIST).

Above all, the new draft document stresses that medical device manufacturers should collaborate on cybersecurity issues and join an Information Sharing and Analysis Organization (ISAO), part of Executive Order 13691 and designed to share cybersecurity information. Unlike ISACs, ISAOs are not themed by critical infrastructure sectors and are designed to be much more flexible and cross-functional.

The FDA will be soliciting comments from the public on this draft document for the next 90 days before issuing its final guidance.