Advances in medicine in terms of how we diagnose, treat, or deploy therapy are rapidly changing each and every day. Even going to a doctor’s office for a routine urgent care visit is evolving to allow patients to access care through telemedicine from the comfort of their own homes. Methods for how patients are treated at a doctor’s office, emergency room, surgery center or other healthcare facility are continuously being innovated. 

For instance: imaging equipment that allows a radiological technician to share images with a radiologist in real time to a smart device or personal computer; the ability to pull precise dosage information for an infusion pump directly from the Cloud; or the introduction of robotics into surgical environments. These are all examples of how technology has allowed clinicians to treat patients more efficiently and effectively with the hopes of achieving even better outcomes.

Innovation and cyber risk

This all sounds fantastic, right? What could possibly be the downside to all of this innovation? Many readers probably already see where this question is leading. The answer is, all of those great innovations have led to increased risk of cyber attack on medical device and health delivery organization (HDO) networks, while also ultimately potentially introducing new safety risks to patients. Cybersecurity risk is a challenge that needs to be addressed by medical device manufacturers, HDOs and regulatory stakeholders alike, and it is.

For the purpose of this post, we’ll examine the role that regulators, specifically the US FDA, are taking in terms of cybersecurity, and what effects that has on the product development submission processes for device manufacturers to bring connected or software-enabled products to market. Beginning in 2014 with the initial Premarket Guidance for Cybersecurity Management and then with the latest draft Premarket Guidance for Cybersecurity Management released in October 2018, FDA has outlined how they will be evaluating software-enabled or connected medical devices.

Key FDA cybersecurity criteria

Essentially, the evaluation criteria outlined in the FDA guidance documents entail four main concepts:

• Organizational Processes
• Risk Based Approach
• Trustworthiness
• Safe Operation

So what do each of these concepts mean practically for manufacturers, and what are some considerations that they may want to follow? If you simply look at it, the first two elements are very process-driven criteria, while the latter two address testable criteria to evaluate whether a manufacturer’s risk controls are effectively implemented throughout the design process.

1. Organizational Process

• Has someone at the executive level (CISO, CTO, Product Security Officer) been tasked with responsibility of ensuring that there is a culture of considering cybersecurity throughout the product lifecycle?
• Has the concept of addressing cybersecurity risk been implemented into Quality Management System SOPs, and have provisions been established to ensure the execution?

2. Risk Based Approach

• Has a product risk framework been established to address the risk of cybersecurity from concept all the way to product launch? Perhaps build upon existing safety risk analysis.
• Have threat models been developed to evaluate the potential ways that a bad actor may look to attack your device?  Are you then incorporating that information back into your risk model?

3. Trustworthiness

• ​Are you evaluating your software composition throughout the development process to better understand the potential vulnerabilities and weaknesses that may exist?
• How are you incorporating that information into your risk model to best ensure the trustworthiness and resiliency of the device?

4. Safe Operation

• Are you adequately incorporating and testing the risk controls that were implemented in order to demonstrate security assurance?

Having supported many manufacturers and developers evaluate and mitigate risk, we have encountered organizations of various levels of cybersecurity maturity. We are often asked about resources that organizations can leverage to better address those four pillars highlighted in the Premarket Guidance.

• A standards-based approach is recommended, and the FDA has recognized standards such as UL 2900-1, UL 2900-2-1, and AAMI TIR57, to name a few.
• Recently a Joint Security Plan was launched by the Healthcare Sector Coordinating Council as an industry-led approach to uplifting the overall cybersecurity maturity of the industry.

All of the aforementioned standards are valuable resources that can be leveraged by organizations at any stage of product-level cybersecurity maturity. 

Essentially, FDA and other regulators are now looking to see that manufacturers have considered cybersecurity risks throughout the product development lifecycle and incorporated strategies to mitigate those risks. Contemplating and addressing cybersecurity risks at the earliest stages of product development and throughout the product lifecycle yields far more efficiencies and cost-effectiveness than doing so later in your development process. From our experience, taking that approach will ensure that manufacturers are more prepared, and allow them to take products to market in a more expeditious manner.

Christopher Beeman is Business Development Manager at UL Healthcare & Life Sciences’ Digital Health division.

Related medical device digital health and regulatory resources from Emergo by UL:

• US FDA cybersecurity guidance consulting for medical device and SaMD companies
• Cybersecurity risk management and procurement support
• Webinar: Mapping UL 2900 cybersecurity standards to FDA guidance