October 30, 2014

The FDA will focus more on a device maker’s overall approach to ensuring cybersecurity rather than burrowing down and kicking the tires on each individual risk mitigation program, FDAs Abiy Desta said at an agency webinar Oct. 29.

That’s not to stay the agency is lightening up on its quest to make the industry take device cybersecurity seriously. Rather, it appears to be the FDA’s way of reminding device makers to focus first on addressing the overall big picture with a sound rationale and then apply it to any number of potential risks down the decision tree.

In its Oct. 2 guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” the agency laid out its basic requirements, though at today’s event the agency stressed it would accept other approaches — as long as their strategy was defensible.

That “alternative” approach must have controls in place, and be able to prove to the FDA that its program contains the proper response to those controls as outlined in the premarket submission.

device maker's overall approach to ensuring cybersecurityDesta, Office of the Center Director at the Center for Devices and Radiological Health (CDRH), also urged the industry to take advantage of the FDA’s posted consensus standards contained on page 7 of the Oct. 2 guidance. It’s available online. To use it, type “security” in the title search to find the current list of IT and medical device security consensus standards recognized by the FDA. It’s a handy reference.

He also outlined some of the core functions FDA wants to see addressed in a comprehensive cybersecurity program, including:

  • Limiting access to trusted users by using layered privileges, appropriate authenticity, and strong passwords.
  • Protecting users and data by terminating sessions after a period of inactivity, setting up physical locks, and limiting access ports.
  • Detecting, responding and recovering by implementing features that tell a user if the device has been compromised, provide information on what to do when it occurs, implement features to preserve critical functions with the ability to reboot and recognize drivers, and provide methods for retention and recovery of device configuration.
  • Establishing a hazard analysis program that clearly evaluates risk potential, provides information on control put in place and the appropriateness of those controls to mitigate an identified risk, and a matrix that links cybersecurity controls to the risk being mitigated.

Finally, the agency expects to be able to read a document that shows a plan to provide patches and updates as needed and that assures overall device integrity.

While FDA noted that cybersecurity is also the responsibility of others in the chain including hospitals and patients, it made it clear that the first place it will look in the event of a breach is the device maker’s office.