By Clinical Informatics News Staff

January 20, 2016 | The FDA is releasing a draft guidance to clarify the responsibilities of medical device manufacturers to protect their devices from cyber attacks and software vulnerabilities. The document, “Postmarket Management of Cybersecurity in Medical Devices,” specifically focuses on measures that vendors should take to defend their products after they have been FDA approved and placed in hospitals.

Cybersecurity is a growing concern in the healthcare environment, as more medical devices have been made to interact with the Internet―either directly, or by being embedded in a hospital’s overall computer network. Making medical devices a part of the Internet of Things has major advantages; it can ensure that test results and medical images are immediately included in a patient’s health records, for instance, or give nurses and physicians mobile access to real-time data from bedside monitors. But it also creates opportunities for bad actors to access medical devices, stealing data or even sabotaging their ability to function.

Devices may also become compromised accidentally, as a result of viruses spreading across a computer network.

The FDA’s new cybersecurity guidelines attempt to establish a basic responsibility for manufacturers to support their products “from medical device conception to obsolescence,” while also acknowledging that not all risks can be predicted and prevented. To strike that balance, the FDA concerns itself with a device’s “essential clinical performance,” expecting every manufacturer to clearly define what functions are crucial for a device’s safe and effective use. This will help vendors and their customers to triage cybersecurity problems based on the risks they pose to patients, considering both how easy a known vulnerability is to exploit, and how severely patients could be affected.

“The presence of a vulnerability does not necessarily trigger patient safety concerns,” the document states. “Rather it is the impact of the vulnerability on the essential clinical performance of the device which may trigger patient safety concerns.”

The FDA anticipates that vendors who learn of serious vulnerabilities may have to take steps short of a thorough overhaul of their software to respond quickly. These steps may include asking customers to remove a device from the hospital network, issuing temporary patches to the software, or recommending workarounds to avoid problematic uses. Because some of these measures have regulatory implications, the agency made clear when it expects to be notified of vulnerabilities.

First, the FDA clarified that most patches and security-related software upgrades will be regarded as “device enhancements.” These types of changes, unlike most product modifications, do not have to be reported to the FDA or reviewed before implementation, although they should be noted in an annual report to the agency.

Second, in cases where a manufacturer finds a vulnerability that affects “essential clinical performance,” the new guidance document spells out three criteria for deciding if the FDA should be notified. The agency will expect a timely report of any known vulnerability if it causes a death or serious adverse event; if the manufacturer is unable to make changes to protect against the vulnerability within 30 days; or if the manufacturer is not a member of an Information Sharing Analysis Organization, groups that share information on developing cybersecurity threats between private and public entities.

While the FDA hopes that this policy will give manufacturers some leeway to support their devices without regulatory action, it does plan to take enforcement measures against companies that fail to report vulnerabilities meeting one or more of these criteria.

The guidance document has not been finalized and will be open for public comment. The FDA previously issued a draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” on measures that manufacturers should take to protect their medical devices before they reach customers.