The U.S. Food and Drug Administration (“FDA”) has increasingly focused on promoting cybersecurity because compromised medical devices can pose a risk to patient health as well as the confidentiality of personal medical information. On October 2, 2014, FDA issued final guidance on the content of premarket submissions for the management of cybersecurity in medical devices. The final guidance sets forth recommendations for the design and development of medical devices, as well as the preparation of premarket submissions, that are intended to reduce the likelihood that medical devices will be compromised as a result of inadequate cybersecurity.
Although the final guidance is not binding, it is broadly applicable—the recommendations apply to all premarket submissions except investigational device exemption applications, as well as to requirements under the Quality System Regulation. The guidance supplements other standards generally applicable to software included in medical devices, as well as specific standards addressing cybersecurity risks in medical devices containing off-the-shelf software. The final guidance also adopts the National Institute of Standards and Technology’s core cybersecurity framework, which FDA recently agreed to promote in a Memorandum of Understanding with the National Health Information Sharing and Analysis Center.
The final guidance sets forth concrete recommendations specifically applicable to medical devices. For example, device manufacturers should put systems in place to detect compromises and implement safeguards to preserve critical functionality and recover previous configurations. In addition, the final guidance recommends that device manufacturers track all cybersecurity risks considered in the design of a device and justify in premarket submissions the safeguards put in place to addresses identified risks. Specifically, the final guidance recommends that manufacturers justify a decision to use a particular security function, such as the use of one among many authentication processes or methods of securing the transfer of data.
The final guidance encourages device manufacturers to implement plans to provide and validate software updates throughout the life of a medical device. FDA’s guidance on off-the-shelf software states that device manufacturers have an obligation under the Quality System Regulation to provide systematic software updates to respond to identified risks. However, the final guidance indicates that software updates will not typically need FDA review when their sole purpose is to strengthen the cybersecurity of a medical device.
The final guidance recommends that manufacturers balance the benefit of increased safeguards with the usability of a medical device in its intended use environment. For example, device manufacturers should consider the need to access a device promptly in emergency situations when designing authentication procedures. A previous report by the U.S. Government Accountability Office on information security risks to medical devices had suggested that device manufacturers consider the risk that additional safeguards could lead to decreased battery life, potentially creating a need for more frequent surgical procedures to replace batteries in implantable devices, as well as the risk of unforeseen consequences as a result of new software updates.
Although the final guidance only establishes FDA’s recommendations for best practices, device manufacturers should become familiar with the final guidance as it is likely to inform FDA’s review of premarket submissions as well as Quality System Regulation compliance.