FDA re-defining the Cybersecurity Approach:
Cyberattacks are becoming more sophisticated and healthcare has been a primary target due to the integral patient information. Especially in healthcare, attackers have been finding vulnerabilities and ways to get access to information generated by medical devices. With their abilities of remote and continuous monitoring, the use of medical devices has increased exponentially and so have the cyberattacks on IoMT and Medical Devices due to the valuable medical information they collect 24*7.
But, the harm of getting access to Class 2 and Class 3 medical devices is not just limited to the leak of information. By gaining access to medical devices, attackers can control the devices and when exposed to vulnerability can result in minor to catastrophic consequences of patient harm. Due to such implications, the FDA has asked Medical Device companies to not only consider Cybersecurity in pre-market submissions but also roll out post-market recommendations.
Thus, medical device companies who wish to market their products in the United States must adhere not only to cybersecurity requirements during the PMA submissions, but also to post-market recommendations and create a secure cybersecurity approach that can help them identify, protect, detect, assess, and respond to cybersecurity vulnerabilities and attacks.
While non-adherence to Cybersecurity requirements in PMA can lead to a Refuse to Accept letter from the FDA which then denies the product to be sold and marketed in the US market, post-market recommendations are essential as the FDA has introduced periodic annual cybersecurity reviews where medical device companies must submit Cybersecurity vulnerabilities and failure to address vulnerabilities can lead to product recall or ban of use!
In this 3-blog series, the first blog talks explicitly about pre-market cybersecurity requirements from the FDA and in this, we talk about post-market recommendations from the FDA along with ideal ways to manage Cyberattacks!
Thus, below are the FDA’s post-market Cybersecurity recommendations that would help in periodic annual reviews and in establishing effective cybersecurity approaches that can help medical device companies manage vulnerabilities and avoid patient harm from cyberattacks.
FDA’s post-market Cybersecurity recommendations:
Before we move to the recommendations, let’s first understand why the FDA emphasizes on Cybersecurity; what kind of patient harm can cyber attacks cause and how does FDA recognizes patient harm.
According to the FDA, “Patient harm is defined as physical injury or damage to the health of patients, including death. Health risks posed by the device may result in patient harm.”
Types of Patient harm and their effect defined by FDA:
- Negligible: Inconvenience or temporary discomfort
- Minor: Results in temporary injury or impairment not requiring professional medical intervention
- Serious: Results in injury or impairment requiring professional medical intervention
- Critical: Results in permanent impairment or life-threatening injury
- Catastrophic: Results in patient death
Thus, to protect patients from this harm and to protect their integral medical information from getting into unauthorized hands, Cybersecurity risk management programs from the FDA emphasize addressing vulnerabilities that may permit unauthorized users to access, modification, misuse, or denial of use of a medical devices information which may result in patient harm.
These programs span out the below-mentioned areas, and the FDA has the following recommendations for medical device companies:
Response to identified and reported vulnerabilities:
FDA recommends that Manufacturers must report and act on identified vulnerabilities by reporting them on time. To identify such vulnerabilities, the FDA suggests that Medical Device companies monitor the official sources where cybersecurity information is updated and consider all the suggested risks.
Monitoring your device and associated off-the-shelf software:
FDA recommends that medical device companies set up Cybersecurity protocols and processes across the software lifecycle. Along with the product and its software components, medical device companies must also monitor third-party software components for new vulnerabilities throughout the device’s total product lifecycle.
Periodic Verification and Validation:
From design verification and validation for software updates to software V&V, the FDA suggests medical device companies validate all their releases and deploy patches that are used to remediate vulnerabilities, including those related to Off-the-shelf software.
Ways of identifying vulnerabilities in the system:
To ensure that Medical Device companies can identify vulnerabilities in their system, they have to create procedures and periodic cybersecurity assessments to understand, assess and detect the presence and impact of a vulnerability.
Establish processes for vulnerability intake and handling:
Cybersecurity information about your Medical Device can originate from an array of sources such as independent security researchers, in-house testing, suppliers of software or hardware technology, healthcare facilities, and information sharing and analysis organizations. Medical Device companies must establish communication processes for vulnerability intake and handling. For vulnerability handling processes and security technology; the FDA has recognized ISO/IEC 30111:2013 act and its processes.
Developing mitigations to protect, respond, and recover from the cybersecurity risk:
With periodic device and system testing and using threat modeling with clearly defined protocols of optimum device safety and essential performance; medical device companies must create risk mitigation protocols that can minimize cyber threats and result in no patient harm with effective risk recovery.
Periodic patch release and effective quality management systems:
Lastly, medical device companies can’t divert and restrict all such cyber threats. Thus, it is essential that instead of planning to create an impenetrable system, medical device companies instead create a structured and systematic approach to risk management that complies with 21 CFR part 820. Also, organizations must make periodic patch releases and establish effective quality management systems.
A steady walk towards a cyber-secure healthcare ecosystem:
Along with submissions and post-approval processes, Medical Device Companies will have to consider functional changes in their SDLC that are suggested by the FDA, and down the line, the Healthcare Industry and MedTech industry must also prepare for the Cyber Security mark that might get issued by FDA to medical devices.
In this 3-blog series that we have started at AIMDek, the first blog was about Pre-market application submissions while this covered post-market cybersecurity recommendations. The third blog will cover information about how Cybersecurity will impact medical devices and what to look for on the horizon in the long run.
So, stay tuned to our blog for these updates and if you have any technology challenges that you are facing with your Medical Device hardware or software, get in touch with our MedTech expert today.