January 30, 2017

A new FDA guidance concerning risk management helps medical device manufacturers meet expectations regarding an effective postmarket cybersecurity program.

Cybersecurity: Patient Safety, Product Efficacy & Compliance

Savvy medical device manufacturers don’t need to be reminded twice that a strong cybersecurity program is critical to patient safety, product efficacy, and compliance with tight FDA compliance regulations. Serious alleged cybersecurity breaches have been in the news lately and should serve to stress how serious cybersecurity has become on a number of fronts.

Risk Management Guidance: Cybersecurity

FDA just issued guidance that provides further clarification on cybersecurity risk management. At the same time, it provides some valuable advice when it comes to creating and maintaining a quality management system (QMS) that helps to identify, prioritize, and mitigate risk.

Reminders & Recommendations for Medical Device Manufacturers

Building on an extensive document from the National Institute of Standards and Technology (“Framework for Improving Critical Infrastructure Cybersecurity), FDA uses its own guidance to offer reminders and recommendations to medical device manufacturers. Here are some of the most important tips:

  • Definitions – A comprehensive cybersecurity risk management plan should include clear guidelines for tracking the safety and essential performance of a medical device, potential patient harm in the event of a problem, and risk acceptance criteria. These steps should be utilized by medical device manufacturers to prioritize vulnerabilities for remediation.
  • Complaint Management – FDA notes that medical device manufacturers are required to analyze complaints, returned products, service records, and other sources of quality data to identify existing and potential causes of nonconforming products or other quality problems.
  • Risk Assessment – FDA recommends that medical device manufacturers characterize and assess identified vulnerabilities. Doing so effectively will provide information that can also be used to help triage as problems are detected.
  • Threat Modeling -Medical device manufacturers should conduct cybersecurity risk analyses that include threat modeling for each of their medical devices and, most importantly, update those regularly. Done properly, threat modeling will provide traditional risk management and failure mode analysis paradigms. In addition, it will give manufacturers a framework to assess the threat from what the FDA calls “active adversaries/malicious use.”
  • Threat Sources, Detection & Impact – Threat sources should be characterized by severity. Medical devices may not be capable of detecting threat activity and, in many cases, will be reliant on network monitoring. FDA suggests strongly that medical device manufacturers assess the impact of a cybersecurity signal both horizontally and vertically. In this context, the horizontal analysis could detect a problem across the medical device manufacturer’s entire product portfolio. A vertical focus, by contrast, would hopefully detect if there is an impact on specific components within the medical device.

Cybersecurity Breach: Protecting, Responding & Recovering

The FDA’s guidance turns its attention to protecting, responding, and recovering from a cybersecurity breach or other problem. Here, the agency recommends that medical device manufacturers implement device-based features, such as device design controls, as a primary means of mitigating any risk to medical device end-users.

Explore the automated solution provided by the AssurX quality management system today!

— AssurX (@AssurXJanuary 17, 2017

Adopting Coordinated Vulnerability Disclosure Policy

FDA also urges medical device manufacturers to adopt a coordinated vulnerability disclosure policy and practices that feature a clear means of acknowledging receipt of any vulnerability to the vulnerability submitter within a clearly defined time frame.

Leveraging Cybersecurity Vulnerability Plan

Once a plan is approved internally and implemented, medical device manufacturers should leverage it in a number of ways, including:

  • Risk Management – Determining if the threat of patient harm raised by the vulnerability is adequately addressed and controlled by existing features and/or defined compensating controls, i.e. residual risk levels have been deemed acceptable based on a defensible criterion.
  • Action Plan – An action plan should be in place to reflect the magnitude of the identified problem and align it with risks both demonstrated and potential.
  • Transparent Evaluation – Medical device manufacturers should also include a detailed and transparent evaluation of residual risk and any risk introduced by the remediation itself.

Medical Device Enhancement or Recall?

Finally, the guidance clarifies that changes made for the vulnerability of controlled risk are “generally” considered medical device enhancements and not full-blown recalls. In addition, routine updates to cybersecurity programs and the use of patches are not usually considered a type of medical device enhancement.

If Utilities Can Be Breached…

Cybersecurity threats are as fresh as today’s headlines. As the nation’s utilities recently reported a breach, it’s obvious that medical device manufacturers are also at risk. While most hackers do not have the skill set of those making the news today, it’s worth noting that a medical device manufacturer is a much easier target than institutions with far more stringent protections that have already been breached.

White Paper: Automating Your Quality Management System (QMS) | Pitfalls + Essential Strategies

Download this white paper to learn common pitfalls + essential strategies for success when automating your quality management system (QMS).

Compliance With Manual Risk Management System?

Cybersecurity for medical device manufacturers will remain a consistent theme in 2017. How can you maintain FDA compliance if your current quality management system’s risk management solution includes a manual component? An automated quality management system like AssurX provides an added layer of protection against cybersecurity threats by providing continuous updates and easier analysis. Act now. Is it worth waiting to find out how your company will respond to a cybersecurity breach with a manual process?