Yet another regulator has weighed in on cybersecurity issues, adding to an already complicated and daunting mosaic of regulatory enforcement actions and guidance. Last week, the U.S. Food and Drug Administration (“FDA”) posted new draft guidance concerning the postmarket management of cyber risks associated with medical devices that are connected to networks. The new draft guidance comes almost a year after President Obama issued Executive Order 13636, which directs public and private actors to work together to share information about cybersecurity.
The FDA’s new draft guidance lists factors that manufacturers should consider when assessing and remedying postmarket cybersecurity risks related to networked devices. While the guidance is only a draft and is subject to review and comment for the next 90 days, it does provide important insights into the FDA’s evolving view of cybersecurity issues. Here are the key takeaways:
• Why now? On July 31, 2015, the FDA issued an unprecedented cybersecurity alert concerning the Symbiq Infusion System by Hospira—a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population, including the delivery of insulin to diabetics. The FDA cautioned that the system could be accessed remotely from a hospital’s network, which would allow an “unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.” (emphasis added). The FDA’s recognition of this alarming development likely played a role in the FDA’s decision to issue its latest draft guidance. The draft guidance describes risks associated with the essential clinical performance of insulin pumps as one of the more serious kinds of cybersecurity threats.
• What’s the Story? The FDA’s latest guidance only tells part of the story. In October 2014, the FDA issued its final guidance concerning “Premarket Submissions for Management of Cybersecurity in Medical Devices.” (emphasis added). While the FDA’s premarket guidance applies to devices that are being brought to market, the FDA’s latest draft guidance provides recommendations for medical devices that are already in use by patients across the country. The FDA asserts that manufacturers should consult both sets of guidance in developing “proactive” and “robust” policies and procedures for mitigating cybersecurity risks. Viewed together, the guidances make clear that the FDA is attempting to implement a regulatory scheme that will govern cybersecurity threats presented by networked medical devices throughout their entire life cycles.
• Risk Management: The FDA’s guidance encourages manufacturers of networked medical devices (such as pacemakers, insulin pumps, defibrillators, and even thermometers) to establish risk management policies and procedures that that will enable them to identify, evaluate and control cybersecurity risks, and monitor the effect of their controls. According to the FDA, the risk management plans should include two key components: processes that will enable manufacturers to (1) assess how vulnerable their devices are to cybersecurity risks and (2) evaluate how patient health will be impacted if a cybersecurity vulnerability is exploited.
• All risks are not created equal: The FDA acknowledges that there will be some level of cybersecurity risks associated with networked medical devices. In the draft guidance, the FDA draws a distinction between controlled and uncontrolled risks. For example, a controlled risk would exist if a medical device contains an open and unused communications port that could not be accessed remotely and could be remedied by a manufacturer through the use of a patch. On the other hand, the risk would be considered uncontrolled if the communications port could be accessed remotely to impair the device’s essential clinical performance. The latter risk would be deemed uncontrolled even if there were no reported deaths or other adverse health risks associated with the open port.
• To tell or not to tell: The draft guidance sets ground rules regarding when manufacturers must disclose cybersecurity issues to the FDA. The FDA draft guidance does not require reporting for “routine updates or patches” taken to address controlled risks, but notification is required for “cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of adverse health consequences or death.”
• Score points for sharing: The draft guidance encourages manufacturers to join information sharing analysis organizations (“ISAOs”). The FDA believes that participation in ISAOs “are a critical component of a medical device manufacturer’s comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities.” Joining an ISAO provides an important benefit to manufacturers in the event their devices are subject to cyberattacks. The FDA does not intend to enforce certain reporting requirements under 21 CFR part 806 if (a) the manufacturer participates in an ISAO, (b) there were no adverse events or deaths associated with the cybersecurity vulnerability, and (c) within 30 days of discovering the vulnerability, the manufacturer implements a change to bring the risk within an acceptable level and the manufacturer notifies users of the vulnerability. Thus, participation in an ISAO may reduce the risk that the FDA will bring an enforcement action against a manufacturer for the failure to report.
We will continue to monitor these draft guidelines and will report on future developments.
