Risk Management Best Practices for Cybersecurity Compliance
Cybersecurity: Patient Safety, Product Efficacy & Compliance
Savvy medical device manufacturers don’t need to be reminded twice that a strong cybersecurity program is critical to patient safety, product efficacy, and compliance with tight FDA compliance regulations. Serious alleged cybersecurity breaches have been in the news lately and should serve to stress how serious cybersecurity has become on a number of fronts.
- Medical Devices – Cybersecurity vulnerabilities have been identified in St. Jude Medical’s implantable cardiac devices and Merlin@home transmitter
- Hospitals – St. Joseph Health will pay a $2.14 Million settlement fine in regard to potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following reports that files containing electronically protected health information (ePHI) were publicly accessible through internet search engines.
- Utilities – The December 2015 cyberattacks on Ukraine’s utility power plants served as a wakeup call for the US power grid.
Risk Management Guidance: Cybersecurity
FDA just issued guidance that provides further clarification on cybersecurity risk management. At the same time, it provides some valuable advice when it comes to creating and maintaining a quality management system (QMS) that helps to identify, prioritize, and mitigate risk.
Reminders & Recommendations for Medical Device Manufacturers
Building on an extensive document from the National Institute of Standards and Technology (“Framework for Improving Critical Infrastructure Cybersecurity), FDA uses its own guidance to offer reminders and recommendations to medical device manufacturers. Here are some of the most important tips:
- Definitions – A comprehensive cybersecurity risk management plan should include clear guidelines for tracking the safety and essential performance of a medical device, potential patient harm in the event of a problem, and risk acceptance criteria. These steps should be utilized by medical device manufacturers to prioritize vulnerabilities for remediation.
- Complaint Management – FDA notes that medical device manufacturers are required to analyze complaints, returned products, service records, and other sources of quality data to identify existing and potential causes of nonconforming products or other quality problems.
- Risk Assessment – FDA recommends that medical device manufacturers characterize and assess identified vulnerabilities. Doing so effectively will provide information that can also be used to help triage as problems are detected.
- Threat Modeling -Medical device manufacturers should conduct cybersecurity risk analyses that include threat modeling for each of their medical devices and, most importantly, update those regularly. Done properly, threat modeling will provide traditional risk management and failure mode analysis paradigms. In addition, it will give manufacturers a framework to assess the threat from what the FDA calls “active adversaries/malicious use.”
- Threat Sources, Detection & Impact – Threat sources should be characterized by severity. Medical devices may not be capable of detecting threat activity and, in many cases, will be reliant on network monitoring. FDA suggests strongly that medical device manufacturers assess the impact of a cybersecurity signal both horizontally and vertically. In this context, the horizontal analysis could detect a problem across the medical device manufacturer’s entire product portfolio. A vertical focus, by contrast, would hopefully detect if there is an impact on specific components within the medical device.
Cybersecurity Breach: Protecting, Responding & Recovering
The FDA’s guidance turns its attention to protecting, responding, and recovering from a cybersecurity breach or other problem. Here, the agency recommends that medical device manufacturers implement device-based features, such as device design controls, as a primary means of mitigating any risk to medical device end-users.
Adopting Coordinated Vulnerability Disclosure Policy
FDA also urges medical device manufacturers to adopt a coordinated vulnerability disclosure policy and practices that feature a clear means of acknowledging receipt of any vulnerability to the vulnerability submitter within a clearly defined time frame.
Leveraging Cybersecurity Vulnerability Plan
Once a plan is approved internally and implemented, medical device manufacturers should leverage it in a number of ways, including:
- Risk Management – Determining if the threat of patient harm raised by the vulnerability is adequately addressed and controlled by existing features and/or defined compensating controls, i.e. residual risk levels have been deemed acceptable based on a defensible criterion.
- Action Plan – An action plan should be in place to reflect the magnitude of the identified problem and align it with risks both demonstrated and potential.
- Transparent Evaluation – Medical device manufacturers should also include a detailed and transparent evaluation of residual risk and any risk introduced by the remediation itself.
Medical Device Enhancement or Recall?
Finally, the guidance clarifies that changes made for the vulnerability of controlled risk are “generally” considered medical device enhancements and not full-blown recalls. In addition, routine updates to cybersecurity programs and the use of patches are not usually considered a type of medical device enhancement.
If Utilities Can Be Breached…
Cybersecurity threats are as fresh as today’s headlines. As the nation’s utilities recently reported a breach, it’s obvious that medical device manufacturers are also at risk. While most hackers do not have the skill set of those making the news today, it’s worth noting that a medical device manufacturer is a much easier target than institutions with far more stringent protections that have already been breached.
Compliance With Manual Risk Management System?
Cybersecurity for medical device manufacturers will remain a consistent theme in 2017. How can you maintain FDA compliance if your current quality management system’s risk management solution includes a manual component? An automated quality management system like AssurX provides an added layer of protection against cybersecurity threats by providing continuous updates and easier analysis. Act now. Is it worth waiting to find out how your company will respond to a cybersecurity breach with a manual process?