On Oct. 29, 2014, the United States Food and Drug Administration (FDA) held a webinar on its Final Guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” According to the FDA, the webinar seeks to explain the guidance and provide a forum for stakeholders to ask questions.
Issued on Oct. 2, 2014, the FDA’s cybersecurity guidance sets out a number of voluntary, non-binding recommendations designed to help medical device manufacturers identify relevant cybersecurity issues that should be considered in the design and development of their medical devices. The FDA’s guidance gives further direction to manufacturers in the form of recommendations to document potential cybersecurity risks in premarket submissions, along with the measures and controls implemented by a manufacturer to mitigate those risks.
The guidelines are applicable to a wide range of premarket submissions and include medical devices that contain software, or are themselves software. Among others, the FDA specifies that 510(k)s, de novo submissions and Premarket Approval Applications (PMAs) are covered by the guidance. Importantly, this framework covers mobile medical applications that are subject to FDA clearance (via a 510(k), for example). In light of new smartphone and wearable-based technologies and the projected growth in the number of mobile medical applications, developers of those apps should be mindful of the new guidance and its recommendations.
The FDA’s guidance is comprised of two principal themes. First, as part of a manufacturer’s design and development process, the FDA encourages manufacturers to create a set of cybersecurity controls designed to maintain device functionality and safety, based upon the intended use of the device. Consistent with the Quality System Regulation (QSR), the FDA instructs that an appropriate plan to identify and manage potential cybersecurity risks includes the following elements:
- Identification of assets, threats and vulnerabilities.
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients.
- Assessment of the likelihood of a threat and of a vulnerability being exploited.
- Determination of risk levels and suitable mitigation strategies.
- Assessment of residual risk and risk acceptance criteria.
Second, the FDA’s guidance sets forth recommendations for manufacturers to document their respective consideration of cybersecurity risks, as well as their implementation of controls designed to safeguard the integrity of the device software. In particular, the FDA encourages manufacturers to include the following information in a premarket submission for an applicable medical device:
- Hazard analysis of cybersecurity risks.
- Traceability matrix linking cybersecurity controls to identified cybersecurity risks.
- Summary of the manufacturer’s plans for providing software updates and patches.
- Summary of the controls implemented by the manufacturer to assure the integrity of the medical device software until it leaves the manufacturer’s control.
- Relevant instructions for use related to the device’s cybersecurity controls.