The US Food and Drug Administration is recommending stronger post-market efforts to manage cybersecurity risks for some medical devices and software products.

New guidance from the regulator acknowledges the limitations of premarket cybersecurity risk management, thus emphasizing that manufacturers of devices that utilize software or firmware or that contain programmable logic, or of software that functions as a medical device, more thoroughly address such risks once their products have entered the US market. Of course, firms’ cybersecurity risk management efforts should also conform to 21 CFR Part 820 quality system requirements.

Six critical components for cybersecurity risk management

The guidance identifies six critical components of what the FDA considers a proper post-market cybersecurity risk management program:

• Monitoring cybersecurity data sources to detect any vulnerabilities
• Assessing the impact of any device vulnerabilities
• Setting up processes to handle vulnerabilities
• Defining a device’s essential clinical performance to mitigate against cybersecurity risks
• Establishing a coordinated vulnerability disclosure policy
• Setting up mitigation practices to address cybersecurity risks before any vulnerabilities are exploited

Furthermore, the FDA recommends that manufacturers design cybersecurity risk management programs incorporating components of the NIST Framework for Improving Critical Infrastructure Cybersecurity, a broader US federal framework designed to address cybersecurity issues across critical infrastructures.

 “Essential clinical performance” defined

The term “essential clinical performance” cited by the guidance pertains to a device’s performance necessary to avoid unacceptable clinical risk as defined by the device’s manufacturer.

The FDA states that manufacturers should define their devices’ essential clinical performance as part of their broader cybersecurity risk management programs, and map out potential outcomes if that performance is compromised.

Assessing exploitability and severity

Risk management processes should assess the exploitability of devices’ cybersecurity vulnerabilities as well as the level of severity any exploitation of a vulnerability would have on patients’ health, according to the guidance.

Although the FDA deems risk management approaches for conventional medical devices as “acceptable” for assessing exploitability of cybersecurity vulnerabilities, the agency recommends utilizing more specific tools such as the Common Vulnerability Scoring System developed by the Forum of Incident Response and Security Teams to more effectively determine how exploitable a device’s vulnerabilities are.

When assessing severity impact to health, manufacturers should utilize the series of qualitative severity levels laid out in ISO 14971:2007/(R)2010, Medical Devices – Application of Risk Management to Medical Devices.  

Watch this space

This new guidance illustrates the FDA’s most current thinking on how to address cybersecurity risks, but should not be construed as definitive. Networked and software-based medical devices continue to prove something of a moving target for medical device market regulators, so FDA and CDRH officials will no doubt continue to refine and, when necessary, redefine what they consider proper risk management approaches to this evolving sector of the device industry.

Related information from Emergo is available, including a whitepaper on medical device software standards and a regulatory process chart on registration of medical devices with the US FDA.