FDA Issues Draft Guidance for Postmarket Cybersecurity in Medical Devices

I.      Introduction

In January 22, 2016, the US Food and Drug Administration (FDA or the Agency) released its draft guidance on the “Postmarket Management of Cybersecurity in Medical Devices.”¹ Without creating any legally enforceable responsibilities, the draft guidance aims to inform industry and FDA staff of the Agency’s recommendations for managing cybersecurity vulnerabilities in medical devices after they enter the market.

The draft guidance builds on previously released FDA guidance on the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which details factors that FDA recommends manufacturers consider during the design and development of their medical devices. In contrast, this draft guidance outlines the Agency’s recommendations for monitoring, identifying, and addressing cybersecurity vulnerabilities in devices that have already entered the market. Because a growing number of medical devices are designed to be networked to facilitate patient care, their internal software is increasingly vulnerable to cybersecurity threats. Some of these threats implicate the safety and effectiveness of the device. The postmarket guidance is applicable to medical devices that contain software (including firmware) or programmable logic, as well as software that meets the definition of a medical device, but does not apply to experimental or investigational medical devices. The pre- and post-market guidances fit into FDA’s larger recommendation that manufacturers take a proactive, risk-based approach to addressing cybersecurity “throughout the product lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.”

The Agency’s focus on medical device cybersecurity is part of the Obama Administration’s larger effort to strengthen critical cybersecurity infrastructure. In February 2013, President Obama issued an Executive Order² and Policy Directive³ to advance an interagency effort to improve critical infrastructure cybersecurity. The Executive Order recognized that repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity, and expressed that the private sector should coordinate to improve cybersecurity information sharing and to collaboratively develop and implement risk-based standards.

For that reason, a critical element of FDA’s recommended approach to postmarket cybersecurity management is the sharing of cyber risk information and intelligence within the medical device community. The 2013 Executive Order encouraged the development of Information Sharing Analysis Organizations (ISAOs), which would serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and the government. The draft guidance names one ISAO − the National Health Information Sharing & Analysis Center − and generally states that ISAOs are intended to be inclusive, actionable, transparent, and trusted. As discussed in more detail below, the draft guidance provides certain protections for companies that voluntarily participate in ISAOs and follow other recommendations in this guidance.  

Medical device manufacturers should closely review the draft guidance to understand FDA’s current thinking on postmarket management of medical devices. Although interested parties may comment on the guidance at any time, comments submitted before April 21, 2016, will be considered as the Agency prepares the final version of this guidance.

II.      Overview of the Draft Guidance

As an overarching recommendation intended to improve the cybersecurity of medical devices, FDA encourages all medical device manufacturers to embrace the voluntary National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. This NIST Framework was created in response to President Obama’s February 2013 Executive Order and Policy Directive, mentioned above. The Framework “enables organizations—regardless of size, degree of cybersecurity risk, or cybersecurity sophistication—to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.”⁴ Given that the NIST Framework was designed to be applicable to all kinds of organizations, it is necessarily broad and lacks any specific guidance for medical device cybersecurity.

Building on the foundation of the NIST Framework, FDA’s latest guidance provides more tailored advice for managing medical device cybersecurity risks to medical device manufacturers. In essence, FDA’s Postmarket Guidance encourages manufacturers to “establish, document, and maintain throughout the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks, and monitoring the effectiveness of the controls.” As demonstrated below, the guidance provides recommendations for what these processes might look like, but ultimately FDA defers to manufacturers as to which processes are necessary for their specific products.

From the perspective of the manufacturer, the first objective of the cybersecurity processes FDA encourages is to identify risks and classify them as either “controlled” or “uncontrolled.” The distinction between controlled and uncontrolled risk is important because controlled risks can often be remedied through “cybersecurity routine updates and patches,” while uncontrolled risks cannot. Moreover, routine updates and patches are generally not required to be reported under 21 C.F.R. pt. 806. Uncontrolled risks are more likely to require the kind of remediation that triggers a reporting requirement.

The draft guidance explains that for a small subset of cybersecurity vulnerabilities and exploits that may compromise “the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death,” FDA would require medical device manufacturers to notify the Agency under 21 C.F.R. § 806.10. This section generally requires device manufacturers to notify FDA in writing within 10-working days of any correction (e.g., repair, modification, adjustment, relabeling) or removal of a device that was initiated to (1) reduce a risk to health posed by the device; or (2) remedy a legal/regulatory violation caused by the device that may present a risk to health.

A.   Cybersecurity Risk Assessment: Focus on Risk to Essential Clinical Performance

The guidance encourages “manufacturers to define and document their process for objectively assessing the cybersecurity risk for their device(s).” The primary objective of these processes is to allow manufacturers to “make a binary determination that a vulnerability is controlled or uncontrolled using an established process that is tailored to the product, its essential clinical performance, and the situation.”

The difference between a controlled risk and an uncontrolled risk is the extent to which there is risk that the device’s “Essential Clinical Performance” (ECP) could be compromised by a cybersecurity vulnerability. The guidance defines the terms as follows:

Controlled risk is present when there is sufficiently low (acceptable) residual risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability.

Uncontrolled risk is present when there is unacceptable residual risk that the device’s essential clinical performance could be compromised due to insufficient compensating controls and risk mitigations.

Therefore, the first step is for each manufacturer to define the ECP of its devices:

Essential clinical performance means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm. The concept “essential clinical performance” has been developed for the purpose of this guidance.

The definition and documentation of ECP is the starting point for determining the manufacturer’s subsequent postmarket cybersecurity obligations. The draft guidance recognizes that “acceptable mitigations will vary according to the device’s essential clinical performance.” Once a device’s ECP is defined, the guidance recommends that a manufacturer establish a process to assess the device’s cybersecurity risks and to classify them as controlled or uncontrolled, which, as explained above, depends on whether the risk could compromise the ECP.

The guidance portrays risk to a device’s ECP as a function of the exploitability of the risk and the severity impact to health of the risk. The guidance advises manufacturers to have: 1) a process for assessing the exploitability of a cybersecurity vulnerability, and 2) a process for assessing the severity impact to health, if the cybersecurity vulnerability were to be exploited. To assess exploitability, FDA discourages the use of conventional medical device risk management approaches that rely on a “reasonable worst-case estimate” or set the default value of the probability to one. Instead, FDA suggests using a cybersecurity vulnerability assessment tool or similar scoring system for rating device vulnerability, such as the “Common Vulnerability Scoring System,” Version 3.0. Similarly, for assessing the severity impact to health, FDA recognizes that there are many potentially acceptable approaches, and it suggests using qualitative severity levels as described in ANSO/AAMI/ISO 14971: 2007/(R)2010: Medical Devices-Application of Risk Management to Medical Devices.

Once manufacturers have assessed the exploitability of a risk and the health impact of the risk, the risk can be classified as controlled or uncontrolled. FDA suggests creating a matrix where combinations of exploitability and severity impact to health are classified as controlled or uncontrolled risk. FDA recognizes that “while in some cases the evaluation will yield a definite determination that the situation is controlled or uncontrolled, it is possible that in other situations this determination may not be as distinct. Nevertheless, in all cases, FDA recommends that manufacturers make a binary determination that a vulnerability is either controlled or uncontrolled using an established process that is tailored to the product, its essential clinical performance, and the situation.

B.   Remediating and Reporting Obligations

After a manufacturer identifies and categorizes cybersecurity risks as controlled (acceptable residual risk) or uncontrolled (unacceptable residual risk), FDA recommends that medical device manufacturers take steps to manage known risks in an efficient and timely manner. In general, as part of an ongoing cybersecurity risk management protocol, the Agency advises manufacturers to practice “good cyber hygiene” and to reduce identified cybersecurity risks even if the level of residual risk is deemed to be at an acceptable level.

Remediation

The guidance states that remediation, or “action(s) taken to reduce the risk to the medical device’s essential clinical performance to an acceptable level,” may be internal or external to the device itself. For example, a manufacturer may remove a cybersecurity vulnerability from the medical device itself through a security update or a patch. Alternatively, a manufacturer may implement “compensating controls,” which are “safeguard[s] or countermeasure[s], external to the device, employed by a user in lieu of, or in the absence of sufficient controls that were designed in by manufacturer.” Compensating controls may include disclosing the vulnerability, the potential impact, and a strategy to reduce the risk to the customer base and the user community. As required by FDA regulations, manufacturers should conduct appropriate software validation to assure that the remediation steps designed to mitigate the target vulnerability do not unintentionally expose the device to additional risks.⁵

Reporting Obligations

In a majority of cases, FDA anticipates that remediation measures will consist of “routine updates and patches,” which are designed to “remediate vulnerabilities associated with controlled risk and not to reduce a risk to health or correct a violation of the” Federal Food, Drug, and Cosmetic Act (FDCA). In such cases, the draft guidance clarifies that FDA’s corrections and removals regulations in 21 C.F.R. pt. 806 will typically not require advance notice to the Agency. With regard to changes or compensating control action to address vulnerabilities associated with controlled risk, the draft guidance reminds manufacturers that:

Changes to a device that are made solely to strengthen cybersecurity are typically considered device enhancements, which may include cybersecurity routine updates and patches, and are generally not required to be reported under 21 C.F.R. § 806.10.

For a subset of cybersecurity vulnerabilities where uncontrolled risk is present, existing FDA regulations would require manufacturers to submit a pt. 806 report, to inform the Agency of corrections to devices that were initiated to either reduce a risk to health posed by the device or to remedy a violation of the Act caused by the device which may present a risk to health. The draft guidance provides several recommendations for remediation taken to address uncontrolled risk. First, FDA advises that manufacturers should remediate the risk of compromise to essential clinical performance to an acceptable level. The Agency, however, recognizes that a complete solution to remove a cybersecurity vulnerability from a medical device, sometimes referred to as an “official fix,” may not be feasible or immediately practicable. In such cases, manufacturers are encouraged to identify and implement risk mitigations and compensating controls in lieu of an official fix.⁶  

The draft guidance states that manufacturers should report vulnerabilities that pose uncontrolled risk to FDA pursuant to 21 C.F.R. pt. 806, unless they are submitted as Medical Device Reports (MDRs) under 21 C.F.R. pt. 803 or electronic product repair and replacement reports under 21 C.F.R. pt. 1004. That being said, the guidance also provides that FDA does not intend to enforce the reporting requirements under 21 C.F.R. pt. 806 as long as that the following three conditions are met:

1. There are no known serious adverse events or deaths associated with the vulnerability;

2. Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users; and

3. The manufacturer is a participating member of an ISAO.

In summary, manufacturers that remediate risks to medical devices would fall into one of three reporting categories outlined under this draft guidance. First, if in response to a controlled risk a manufacturer implements routine updates and patches solely to strengthen cybersecurity, the draft guidance clarifies that advance notice to the Agency is typically not required. Second, if uncontrolled risk is present, manufacturers are required under 21 C.F.R. pt. 806 to inform FDA of corrections to devices that were initiated to reduce the risk to health posed by the device or to remedy a violation of the Act caused by the device. Third, the guidance exempts manufacturers from reporting remediation of uncontrolled risk as long as there are no known associated serious adverse events or deaths, the manufacturer reduces the risk to an acceptable level and notifies users within 30 days, and the manufacturer participates in an ISAO.

Additionally, regardless of whether risks are classified as controlled or uncontrolled, manufacturers would need to comply with existing reporting requirements, including periodic annual reports for premarket approval (PMA) devices. The draft guidance includes specific information that should be included in PMA device annual reports required by 21 C.F.R. § 814.84 and generally recommends that those reports cover “newly acquired information concerning cybersecurity vulnerabilities and device changes made as part of cybersecurity routine updates and patches.”

III.      Impact on Industry

This draft guidance leaves many questions unanswered, but there are at least a few clear conclusions to be drawn.

Monitoring Cybersecurity Vulnerabilities throughout the Device Lifecycle  

First, while many medical device manufacturers already take cybersecurity seriously, they should recognize that FDA has essentially made cybersecurity vulnerability management throughout the lifecycle of medical devices a long-term and likely permanent aspect of regulatory compliance and quality systems. As a first step, manufacturers should consider how the NIST Framework can be implemented into their business operations.⁷ NIST provides general best practices, and every company should build on and apply the basic principles NIST provides to create a cybersecurity program that fits its needs. This is generally a good commercial investment, but it will also help prepare medical device manufacturers for FDA’s future cybersecurity expectations. Given the Agency’s increasing attention to cybersecurity, manufacturers should begin implementing FDA’s cybersecurity guidance to be better prepared if and when similar cybersecurity recommendations become mandatory. Companies that are proactive about assessing and mitigating cyber risk will likely be better prepared to comply with any future mandatory cybersecurity requirements, such as those currently being implemented in the defense contracting sector.

Information Sharing Across the Health IT Community

Second, FDA expects that not only medical device manufacturers, but also the larger health IT community, will collaborate to identify and remediate risks associated with medical device cybersecurity vulnerabilities. The FDA Center for Devices and Radiological Health (CDRH) has expressed commitment to furthering the growth of ISAOs, including by entering into a Memorandum of Understanding with an ISAO, the National Health Information Sharing & Analysis Center (NH-ISAC). As discussed above, the draft guidance strongly encourages manufacturers to participate in ISAOs, and goes so far as to create a limited exception to the reporting requirements for ISAO-participating manufacturers. Beyond device manufacturers, the Agency encourages engagement of the greater health IT community to increase situational awareness and preemptively address cybersecurity vulnerabilities before they impact the safety, effectiveness, integrity, or security of medical devices and the health IT infrastructure. Significantly, this suggests that medical device cybersecurity risk assessment and management is a shared responsibility of both FDA-regulated device manufacturers and larger health IT community.

Stakeholders have noted, however, while a “critical component” of FDA’s postmarket guidance is voluntary participation in ISAOs, the draft guidance does not specify how ISAOs will form, function, and interact with the Agency. FDA’s public workshop titled, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity,” coincided with the draft guidance’s release. As expected, a significant part of the discussion at the workshop focused on the draft guidance, and specifically on FDA’s recommendation that manufacturers participate in ISAOs. While the guidance briefly describes the Agency’s intent for how ISAOs will operate in the medical device context, it leaves open key details such as what it means to be a “participating” member of an ISAO. Moreover, stakeholders have expressed concern about the risks associated with information sharing, including inadvertently divulging proprietary information to competitors, as well as the extent to which information must be shared with FDA. In recognition that the structure and function of ISAOs remains undetermined, FDA is encouraging stakeholders to submit comments on this issue for the Agency to consider as it finalizes the postmarket guidance.

Understanding and Complying with Reporting Obligations

Third, medical device manufacturers should be sure they understand their obligations under 21 C.F.R. pt. 806, particularly relating to reporting. Cybersecurity and mandatory reporting under some circumstances go hand-in-hand, as the draft guidance makes clear. Based on the Department of Defense’s efforts to implement mandatory cybersecurity regulations, these reporting requirements can be particularly difficult to draft, uncertain in application, create reporting burdens, and raise concerns about the protection of proprietary information. Section VIII of the draft guidance recommends content to be included in periodic reports.

Documenting the Process for Defining the Essential Clinical Performance

Fourth, for all of its deference to manufacturer determinations, the draft guidance does create one clear expectation: manufacturers need to create and document a process for defining the essential clinical performance of each device manufactured; identifying vulnerabilities to their devices, assessing the risk associated with those vulnerabilities; classifying those risk as either controlled or uncontrolled; and engaging in remediation and reporting as necessary. FDA currently gives manufacturers the flexibility to define essential clinical performance and to choose appropriate processes for assessing risk, but it appears that a documented system is expected.

IV.      Appendix I: Examples Of Controlled and Uncontrolled Risk

The draft guidance provides several examples of remediation of controlled and uncontrolled risk, as well as the associated reporting requirements. The following language is excerpted verbatim from throughout the draft:

Controlled Risk

A device manufacturer is notified of an open, unused communication port by the US Department of Homeland Security Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT). Subsequent analyses show that a design feature of the device prevents unauthorized remote firmware download onto the device. The threat is mitigated substantially by the need for physical access due to this device feature and the residual risk is considered “acceptable.” The manufacturer takes steps to further enhance the device’s security by taking steps to close the unused communication port(s) and provide adequate communication to device users (e.g., user facilities) to facilitate the patch. If the manufacturer closes the open communication ports, the change would be considered a cybersecurity routine update or patch, a type of device enhancement. The change may not require reporting under 21 CFR part 806.

A device manufacturer receives a user complaint that a recent security software scan of the PC component of a Class III medical device has indicated that the PC is infected with malware. The outcome of a manufacturer investigation and impact assessment confirms the presence of malware and that the primary purpose of the malware is to collect Internet browsing information. The manufacturer also determined that the malware has actively collected browsing information, but that the device’s essential clinical performance is not impacted by such collection. The manufacturer’s risk assessment determines that the risk due to the vulnerability is controlled. Since essential clinical performance was not impacted, the manufacturer can update the product and it will be considered a cybersecurity routine update or patch. In this case, the manufacturer does not need to report this software update to FDA in accordance with 21 CFR 806.10. Because the device is a Class III device, the manufacturer should report the changes to FDA in its periodic (annual) report required for holders of an approved PMA under 21 CFR 814.84.

Uncontrolled Risk

A manufacturer is made aware of open, unused communication ports. Subsequent analysis determines that the device’s designed-in features do not prevent a threat from downloading unauthorized firmware onto the device, which could be used to compromise the device’s essential clinical performance. Although there are no reported serious adverse events or deaths associated with the vulnerability, the risk assessment concludes the risk to the device’s essential clinical performance is uncontrolled. The manufacturer develops and implements a software update to close the unused communication port(s) and notifies device users (e.g., Healthcare Delivery Organizations (HDOs)) to facilitate the remediation. The manufacturer identifies and implements compensating controls to bring the residual risk to an acceptable level and notifies users within 30 days of becoming aware of the vulnerability. The manufacturer is also a participating member of an ISAO and the manufacturer did not submit an 806 report to the Agency. For Class III devices, the manufacturer does submit a summary of the remediation as part of their periodic (annual) report to FDA. Under these circumstances, FDA does not intend to enforce the reporting requirements under 21 CFR part 806.

A manufacturer becomes aware of a vulnerability via a researcher that its Class III medical device (e.g., implantable defibrillator, pacemaker, etc.) can be reprogrammed by an unauthorized user. If exploited, this vulnerability could result in permanent impairment, a life-threatening injury, or death. The manufacturer is not aware that the vulnerability has been exploited and determines that the vulnerability is related to a hardcoded password, and cannot be mitigated by the device’s design controls. The risk assessment concludes that the exploitability of the vulnerability is moderate and the risk to the device’s essential clinical performance is uncontrolled. The manufacturer notifies appropriate stakeholders, and distributes a validated emergency patch. The manufacturer is not a participating member of an ISAO and reports this action to FDA under 21 CFR 806.10.

A vulnerability known to the security community, yet unknown to a medical device manufacturer, is incorporated into a Class II device during development. Following clearance, the manufacturer becomes aware of the vulnerability and determines that the device continues to meet its specifications, and that no device failures or patient injuries have been reported. There is no evidence that the identified vulnerability has been exploited. However, it was determined that the vulnerability introduced a new failure mode to the device that impacts essential clinical performance, and the device’s design controls do not mitigate the risk. The manufacturer conducts a risk assessment and determines that without additional mitigations, the risk to essential clinical performance is uncontrolled. Although the manufacturer does not currently have a software update to mitigate the impact of this vulnerability on the device’s essential clinical performance, the manufacturer notifies the customer base and user community of the cybersecurity risk and instructs them to disconnect the device from the hospital network to prevent unauthorized access to the device. The company’s risk assessment concludes that the risk to essential clinical performance is controlled with this additional mitigation. If the company took this action to mitigate the risk within 30 days of learning of the vulnerability and is a participating member of an ISAO, FDA does not intend to enforce compliance with the reporting requirement under 21 CFR part 806.

A hospital reports that a patient was harmed after a medical device failed to perform as intended. A manufacturer investigation determines that the medical device malfunctioned as a result of exploitation of a previously unknown vulnerability in its proprietary software. The outcome of the manufacturer’s investigation and impact assessment determines that the exploit indirectly impacts the device’s essential clinical performance and may have contributed to a patient death. The manufacturer notifies the customer base and user community, and develops a validated emergency patch within 30 days of learning of the vulnerability. The manufacturer is a participating member of an ISAO. Because there has been a serious adverse event or death associated with the vulnerability, the manufacturer files a report in accordance with 21 CFR 806.10 to notify FDA and complies with reporting requirements under 21 CFR part 803.

V.      Appendix II: Elements of an Effective Postmarket Cybersecurity Program

The draft guidance recommends that the following elements, consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover), be included as part of a manufacturer’s cybersecurity risk management program. The draft guidance states (citations in original):

A.         Identify

(1)        Defining Essential Clinical Performance

Essential clinical performance means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm.

Manufacturers should define the essential clinical performance of their device, the resulting severity outcomes if compromised, and the risk acceptance criteria. Defining essential clinical performance requirements, severity outcomes, and mapping requirements allows manufacturers to triage vulnerabilities for remediation (see Section VI for additional information on risk assessments).

When defining essential clinical performance, manufacturers should consider the requirements necessary to achieve device safety and effectiveness. Understanding and defining essential clinical performance is of importance in assessing vulnerability impact on device performance, and in determining whether proposed or implemented remediations can provide assurance that the cybersecurity risk to the essential clinical performance is reasonably controlled. Importantly, acceptable mitigations will vary according to the device’s essential clinical performance. For example, mitigation for a cybersecurity vulnerability affecting the essential clinical performance of a thermometer may be quite different than a mitigation considered for an insulin infusion pump.

(2)        Identification of Cybersecurity Signals

Manufacturers are required to analyze complaints, returned product, service records, and other sources of quality data to identify existing and potential causes of nonconforming product or other quality problems (21 CFR 820.100). Manufacturers are encouraged to actively identify cybersecurity signals that might affect their product, and engage with the sources that report them. It is important to recognize that signals can originate from sources familiar to the medical device workspace such as internal investigations, post market surveillance and or/complaints. It is also important to recognize that cybersecurity signals may originate from cybersecurity-centric sources such as Cyber Emergency Response Teams (CERTS), ISAOs, security researchers, or from other critical infrastructure sectors such as the Defense or Financial Sectors. Irrespective of the originating source, a clear, consistent and reproducible process for intake and handling of vulnerability information should be established and implemented by the manufacturer. FDA has recognized ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Processes that may be a useful resource for manufacturers. Manufacturers should develop strategies to enhance their ability to detect signals (e.g., participating in an ISAO). Manufacturers can also enhance their postmarket detection of cybersecurity risks by incorporating detection mechanisms into their device design and device features to increase the detectability of attacks and permit forensically sound evidence capture.

B.         Protect

(1)        Vulnerability Characterization and Assessment

FDA recommends that manufacturers characterize and assess identified vulnerabilities because it will provide information that will aid manufacturers to triage remediation activities. When characterizing the exploitability of a vulnerability, the manufacturer should consider factors such as remote exploitability, attack complexity, threat privileges, actions required by the user, exploit code maturity, and report confidence. Scoring systems such as the “Common Vulnerability Scoring System” (CVSS)⁸ provide a consistent framework for assessing exploitability by quantifying the impact of the factors that influence exploitability. See Section VI for additional guidance on vulnerability risk assessment.

(2)        Risk Analysis and Threat Modeling

FDA recommends that manufacturers conduct cybersecurity risk analyses that include threat modeling for each of their devices and to update those analyses over time. Risk analyses and threat modeling should aim to triage vulnerabilities for timely remediation. Threat modeling is a procedure for optimizing Network/Application/Internet Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.⁹ Threat modeling provides traditional risk management and failure mode analysis paradigms, and a framework to assess threats from active adversaries/malicious use. For each vulnerability, a summary report should be produced that concisely summarizes the risk analysis and threat modeling information. Due to the cyclical nature of the analyses, the information should be traceable to related documentation.

(3)        Analysis of Threat Sources¹⁰

FDA recommends manufacturers to analyze possible threat sources. A threat source is defined as the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.¹¹ Analysis of threat sources, as part of risk analysis and threat modeling, provides a framework for risk introduced by an active adversary. Therefore, characterization of threat sources will be advantageous to manufacturers in accessing risks not covered by traditional failure mode analysis methods.

(4)        Incorporation of Threat Detection Capabilities

Medical devices may not be capable of detecting threat activity and may be reliant on network monitoring. Manufacturers should consider the incorporation of design features that establish or enhance the ability of the device to detect and produce forensically sound postmarket evidence capture in the event of an attack. This information may assist the manufacturer in assessing and remediating identified risks.

(5)        Impact Assessment on All Devices

FDA recommends manufacturers to have a process to assess the impact of a cybersecurity signal horizontally (i.e., across all medical devices within the manufacturer’s product portfolio and sometimes referred to as variant analyses) and vertically (i.e., determine if there is an impact on specific components within the device). A signal may identify a vulnerability in one device, and that same vulnerability may impact other devices including those in development, or those not yet cleared, approved, or marketed. Therefore, it will be advantageous to manufacturers to conduct analyses for cybersecurity signals such that expended detection resources have the widest impact.

C.         Protect/Respond/Recover

(1)        Compensating Controls Assessment (Detect/Respond)

FDA recommends manufacturers to implement device-based features as a primary mechanism to mitigate the impact of a vulnerability to essential clinical performance. Manufacturers should assess and prescribe to users, compensating controls such that the risk to essential clinical performance is further mitigated by a defense-in-depth strategy. Section VII describes recommendations for remediating and reporting identified cybersecurity vulnerabilities, including the development, implementation, and user notification concerning official fixes, temporary fixes, and work-arounds. Manufacturers should also adopt a coordinated vulnerability disclosure policy. FDA has recognized ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure that may be a useful resource for manufacturers.

(2)        Risk Mitigation of Essential Clinical Performance

Once the preceding information has been assessed and characterized, manufacturers should determine if the risk levels presented by the vulnerability to the essential clinical performance are adequately controlled by existing device features and/or manufacturer defined compensating controls (i.e., residual risk levels are acceptable). Actions taken should reflect the magnitude of the problem and align with the risks encountered. Manufacturers should also include an evaluation of residual risk, benefit/risk, and risk introduced by the remediation. Manufacturers should design their devices to ensure that risks inherent in remediation are properly mitigated including ensuring that the remediation is adequate and validated, that the device designs incorporate mechanisms for secure and timely updates.

Changes made to improve the performance or quality of a device that do not impact the essential clinical performance of the device are considered device enhancements, not recalls. Cybersecurity routine updates and patches are generally considered a type of device enhancement. For further information on distinguishing between device enhancements and recalls, see FDA guidance titled Distinguishing Medical Device Recalls from Medical Device Enhancements.”