Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff, Document issued on December 28, 2016
This guidance clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices. The guidance also establishes a risk‐based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the FDA and outlines circumstances in which FDA does not intend to enforce reporting requirements under 21 CFR part 806.
Final Guidance – Key Concepts
- Essential performance – Essential performance means performance that is necessary to achieve freedom from unacceptable risk, as defined by the manufacturer. Compromise of the essential performance can produce a hazardous situation that results in harm and/or may require intervention to prevent
- Controlled Risk – Controlled risk is present when there is sufficiently low (acceptable) residual risk that the device’s essential performance could be compromised by a cybersecurity
- Uncontrolled Risk – Uncontrolled risk is present when there is unacceptable residual risk that the device’s essential performance could be compromised due to insufficient compensating controls and risk mitigations. The FDA does not intend to enforce reporting requirements under 21 CFR part 806 for specific vulnerabilities with uncontrolled risk when the following circumstances are met:
- There are no known serious adverse events or deaths associated with the vulnerability,
- As soon as possible, but no later than 30 days of learning of the vulnerability, the manufacturer communicates with its customers and user community regarding the vulnerability (minimum requirements for content of communications is identified in the Postmarket Management of Cybersecurity in Medical Devices Final Guidance), identifies interim compensating controls, and develops a remediation plan to bring the residual risk to an acceptable level (remediation plan timeline rationale must be documented by the manufacturer);
- As soon as possible but no later than 60 days after learning of the vulnerability, the manufacturer fixes the vulnerability, validates the change, and distributes the deployable fix to its customers and user community such that the residual risk is brought down to an acceptable level; and
- The manufacturer actively participates as a member of an ISAO that shares vulnerabilities and threats that impact medical devices, such as the NH-ISAC, and provides the ISAO with any customer communications upon notification of its customers.
- Criteria for Active Participation in an ISAO ‐ FDA considers the following four criteria in determining active participation in an ISAO by a manufacturer:
- The manufacturer is a member of an ISAO that shares vulnerabilities and threats that impact medical devices;
- The ISAO has documented policies pertaining to participant agreements, business processes, operating procedures, and privacy protections;
- The manufacturer shares vulnerability information with the ISAO, including any customer communications pertaining to cybersecurity vulnerabilities; and
- The manufacturer has documented processes for assessing and responding to vulnerability and threat intelligence information received from the ISAO.
- Coordinated vulnerability disclosure – Coordinated Vulnerability disclosure is a process through which vendors and vulnerability finders coordinate efforts in finding solutions that reduce the risks associated with a vulnerability. It encompasses actions such as reporting, coordinating, and publishing information about a vulnerability and its resolution. The goals include: ensuring that identified vulnerabilities are addressed; minimizing the risk from vulnerabilities; providing users with sufficient information to evaluate risks from vulnerabilities to their systems; setting expectations to promote positive communication and coordination among involved
- Cybersecurity Risk Management – Cybersecurity risk management reduces the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity. An effective cybersecurity risk management program incorporates both premarket and postmarket lifecycle phases and address cybersecurity from medical device conception to
- Cybersecurity routine updates and patches – Cybersecurity routine updates and patches are generally considered to be a type of device enhancement that may be applied to vulnerabilities associated with controlled risk and is not considered a repair. Cybersecurity routine updates and patches may also include changes to product labeling, including the instructions for use, to strengthen cybersecurity through increased end‐user education and use of best practices.
- Cybersecurity signal – A cybersecurity signal is any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical A cybersecurity signal could originate from traditional information sources such as internal investigations, postmarket surveillance, or complaints, and/or security‐centric sources such as CERTS (Computer/Cyber, Emergency Response/Readiness Teams), such as ICS‐CERT, ISAOs, threat indicators, and security researchers. Signals may be identified within the HPH Sector. They may also originate in another critical infrastructure sector (e.g., defense, financial) but have the potential to impact medical device cybersecurity.
- Cybersecurity vulnerability – A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat.
- Defense‐in‐Depth – Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.
- Protected Health Information (PHI) – the HIPAA Privacy Rule defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the
covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non‐U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.
- Premarket and Postmarket lifecycle phases – includes the product design, development, production, distribution, deployment and maintenance phases.
- Vulnerability Disclosure Policy – Organization’s policy for and timeframe for disclosing vulnerabilities of which it has been made aware.