By: Jaclyn Collier
It could be a movie premise. A bad guy with a vendetta hacks into his foe’s life-giving insulin pump and programs it to administer a lethal dose. A wife with her eyes on insurance money hacks into a hospital’s Bluetooth network and stops the defibrillator during her husband’s code blue. Sound crazy? It’s hard to believe that medical devices could be vulnerable to cyberattacks, but so-called “white hackers” (i.e., hackers hired by companies to detect cybersecurity exposure) have uncovered vulnerabilities in almost every type of medical device available. To help address this critical issue, the Food and Drug Administration (FDA) recently published non-binding draft guidance on managing cybersecurity for medical devices in the postmarket phase.
As the world has become more interconnected, so has medicine. Patient charts are digital, hospitals are networked, and medical devices are digitized. All over the United States, there are hundreds of thousands of medical devices in hospitals, operating on hospital networks. In 2014, FDA published non-binding guidance on cybersecurity for manufacturers of medical devices. That guidance focused on cybersecurity management in the development and design phase. It advised manufacturers to consider several critical cybersecurity framework functions and use them to identify, assess, and mitigate cybersecurity risk in new medical devices. In this guidance, the FDA also provides a list of recognized consensus standards that medical device manufacturers related to information technology and medical device security.
The new draft guidance, published for comment on January 22, 2016, is centered on cybersecurity for medical devices in the postmarket. The FDA suggests that medical device manufacturers implement ongoing cybersecurity programs to detect and mitigate cybersecurity risks in postmarket devices. The program should factor in not only monitoring and detecting vulnerabilities, but also establishing communication processes and deploying patches to mitigate cybersecurity risk before a breach and soon after they are identified. The FDA also strongly encourages manufacturers to participate in an Information Sharing Analysis Organization to promote sharing of information about cybersecurity threats and issues across the industry.
The guidance provides evaluation methods for manufacturers to complete a cyber-vulnerability risk assessment. In assessing cybersecurity risks, the FDA addressed risks essential to clinical performance of the device and made an important distinction between controlled risks and uncontrolled risks. Controlled risks are sufficiently low risks that the essential clinical performance of the medical device could be compromised by a cybersecurity vulnerability. Uncontrolled risks are unacceptable risks that the device’s essential clinical performance could be compromised. These categories dictate whether the risk needs to be reported to the FDA. If the risk is a controlled risk, it only needs to be reported if the device already requires annual reporting. If the manufacturer identifies an uncontrolled risk, not only does it need to be reported, but failure to remediate could subject the manufacturer to enforcement action because the product has the potential to cause serious adverse health consequences or even death.
The FDA’s draft guidance is more prescriptive than some other agencies’ cybersecurity guidance. For example, the Securities and Exchange Commission (SEC) published cybersecurity guidance in 2015 to address cybersecurity risks, registered investment advisers and registered investment companies. Like the FDA’s guidance, the SEC provides a high-level overview of its expectations for a cybersecurity program, such as conducting an assessment of the scope of the firm’s cybersecurity risks and creating a strategy to prevent, detect and respond to cybersecurity threats. It also provides a few examples of what cybersecurity risks a firm may want to address, but leaves it very open-ended for firms to tailor their programs to the nature and scope of their business. The SEC’s examples are vague and leave many open questions, whereas the FDA’s guidance details several detailed examples of risks and how they may be remediated and whether a report needs to be filed.
It will be interesting to see how the medical device manufacturers respond to this guidance. The FDA was broad enough that it gives a manufacturer flexibility to design a program to mitigate cybersecurity vulnerabilities that is appropriate for it business. The FDA is rewarding “good” or proactive behavior from medical device manufacturers by permitting them to make routine updates for controlled risks without having to file reports. Further, this framework will increase speed to market on software updates and patches because the manufacturers will be able to make the determination based on the criteria provided as to whether or not they need to complete a filing. The guidance is practical in the sense that the FDA has recognized that there is a gap in cybersecurity protection of medical devices, and that it will be an iterative process to fix it. It will be iterative because of the inherent nature of developing software and because of the constantly changing landscape of technology. Medical devices can literally be a matter of life and death for patients, and the FDA’s guidance brings thoughtful, studied direction to the cybersecurity issue.
Bio: Jaclyn is a Staff Member of the Journal of High Technology Law. She is currently a 3L evening student at Suffolk University Law School. Jaclyn works at a financial services firm working on regulatory and compliance issues. She enjoys cooking, reading (thankfully), and hiking