FDA Issues Draft Guidance for Postmarket Management of Cybersecurity in Medical Devices

Written by: Richard Sheinis, Esq.

The FDA has issued this draft guidance to add to its other guidance documents on cybersecurity and medical devices, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, and “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. It is starting to feel like a Harry Potter series. The essence of this guidance is that premarket controls alone cannot completely mitigate cybersecurity risks to networked medical devices. Networked medical devices incorporate software that may be vulnerable to cybersecurity threats. The exploitation of these vulnerabilities may present a risk to the effectiveness of the device, the integrity, availability and security of patient information, and the safety of the patient. Networked medical devices require continual maintenance throughout the device lifecycle to minimize the risk of being compromised.

Cybersecurity threats to medical devices are continually evolving. Hackers are always looking for ways to exploit vulnerabilities. Device manufacturers are encouraged to develop a risk management process to identify risks and vulnerabilities associated with the cybersecurity of a medical device on an ongoing basis. They should evaluate and continually work to remediate vulnerabilities to minimize the risks.

The guidance does not, however, give guidance to health care providers on their role in maintaining the security of medical devices they use, despite the fact that the HIPAA Security Rule requires medical providers to implement physical, administrative, and technical safeguards to protect the privacy and integrity of electronic protected health information (“ePHI”). This includes ePHI that is created or transmitted by networked medical devices. Additionally, the Security Rule requires medical providers to perform a risk analysis to identify risks to ePHI. The risk analysis would require consideration of threats to ePHI that flows through networked medical devices.

Medical providers should have a policy on purchasing and implementation of networked medical devices that considers the security of each medical device, including ongoing security monitoring for any changes, updates and patches issued by the manufacturer. There should be an understanding between the device manufacturer and the medical provider as to how the security of the device will be maintained. This understanding should be memorialized in a written agreement or contract.

Unfortunately, what I often see are providers who simply trust that a networked medical device is secure, and will always be secure. They do not consider their own role in maintaining the security of the device, and do not include the device in their security planning. The bottom line is that any network component, which includes medical devices, has to be considered as part of a medical providers risk analysis and risk management program.