The Situation: As medical devices become more connected to each other and to the internet, an increasing number of patients are exposed to cybersecurity risks.
The Result: Over the last five years, the Food and Drug Administration ("FDA") has issued new guidance and policy to address cybersecurity issues and has been advised by the Office of Inspector General ("OIG") to take additional steps. Manufacturers should be aware of, and prepare for, the actions FDA undertakes on its own initiative and as a result of the OIG recommendations.
Looking Ahead: Although FDA recognizes that cybersecurity of medical devices is a shared responsibility across the ecosystem, manufacturers of networked medical products have the primary responsibility for managing the cybersecurity risks presented by their products and potentially should be prepared to provide significant cybersecurity information to FDA.
Because of recent and highly publicized data breaches across a multitude of industries, cybersecurity threats have become synonymous with the digital age, and both private and government organizations have invested significant resources into combating the risks presented by digital threats. Although FDA is, to date, unaware of medical devices being hacked or manipulated by unauthorized users while in use by a patient, the threat of such an event is not just theoretical and has received increasing attention from the Agency. Indeed, a number of medical device companies have taken action to address postmarket vulnerabilities that, if exploited, could have allowed an unauthorized user to access a patient's device using commercially available equipment. For example, the FDA has previously issued a safety communication related to a software update to address potential cybersecurity vulnerabilities associated with an implantable device.
FDA's Center for Devices and Radiological Health ("CDRH") is responsible for the oversight of medical devices, including those that are digitally connected to each other or to larger networks, such as the internet. The expanded connectivity of medical devices has led to improvements in patient care and greater efficiencies in the healthcare system (e.g., remote control of devices through mobile apps, as well as faster processing/analyzing of patient data), but also presents new and different types of risks that must be addressed to ensure such products are safe for patient use.
Manufacturers of networked medical devices are required to address their device's cybersecurity risks as part of an FDA submission for marketing authorization. The Quality System Regulations at 21 CFR § 820.30(g) state that, as part of a device's design controls, manufacturers must "establish and maintain procedures for validating the device's design," which includes "software validation and risk analysis, where appropriate." Notably, these regulations do not specifically address cybersecurity; they were issued before cybersecurity became a central consideration of medical device design. Understanding that industry may be confused about what this regulation requires and, more broadly, FDA's role in assessing cybersecurity measures, the Agency has issued guidance and other policy documents aimed at clarifying its expectations for manufacturers of networked devices.
In 2013, FDA established the Cybersecurity Working Group within CDRH. The group is tasked with ensuring that FDA's thinking on cybersecurity issues keeps pace with the rapidly evolving threat landscape and technological developments. In 2014 and 2016, FDA issued its first two guidance documents addressing cybersecurity in the premarket and postmarket contexts, respectively. However, the 2014 guidance may end up being relatively short-lived: In October 2018, FDA issued a new draft guidance that, when finalized, will replace the 2014 guidance. The 2018 draft would significantly expand what FDA recommends manufacturers submit in terms of cybersecurity design documentation in premarket submissions. As such, the draft guidance is perceived as potentially raising the bar for marketing authorization for certain low to moderate-risk devices. The new draft postmarket guidance also suggests that informing users of relevant security information through labeling may play an important role in helping to mitigate cybersecurity risks.
The 2016 postmarket guidance outlines a risk-based framework for manufacturers to use for responding to new cybersecurity threats once a device is already in use, from patching and updates to circumstances in which reporting to FDA is warranted. The guidance leverages the National Institute for Standard and Technology's well-known cybersecurity framework—including the core functions of detection, response, and recovery—to aid manufacturers in thinking through how to address postmarket cyber risks.
Realizing that it cannot unilaterally address all medical device cybersecurity risks, FDA has also taken steps to collaborate with other organizations and has encouraged device manufacturers and healthcare providers to take greater responsibility for reacting to cybersecurity threats in the postmarket context. For instance, as detailed in the 2016 postmarket cybersecurity guidance, FDA believes it is critical for manufacturers to participate in an information sharing and analysis organization, which are intended to serve as focal points for cybersecurity information sharing. Additionally, in October 2018, FDA announced a memorandum of agreement between itself and the U.S. Department of Homeland Security to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity risks in medical devices. Finally, in coordination with the MITRE Corporation, FDA helped launch a cybersecurity playbook for healthcare delivery organizations that details the types of actions such organizations should take to better respond to cybersecurity attacks.
While FDA has already taken numerous steps to address cybersecurity threats applicable to medical devices, in light of two recent reports by the U.S. Department of Health and Human Services ("HHS") Office of Inspector General ("OIG"), it appears that more is likely to come. First, in September 2018, the HHS OIG published a report concluding that FDA should "take additional steps to more fully integrate cybersecurity into its premarket review process." Specifically, OIG recommended that FDA: (i) promote the use of presubmission meetings to address cybersecurity-related questions; (ii) include cybersecurity documentation as a criterion in FDA's Refuse-To-Accept checklist; and (iii) include cybersecurity as an element in the "Smart" template to help prompt cybersecurity questions from FDA reviewers. FDA concurred with all three recommendations and has started to implement them.
In October 2018, the HHS OIG issued a second cybersecurity report, this time focusing on the Agency's policies and procedures in the postmarket context. Among other things, the report found that "FDA's policies and procedures were insufficient for handling postmarket medical device cybersecurity threats" and that "FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices." Based on these findings, OIG recommended that FDA: (i) continually assess the cybersecurity risks to medical devices and update its plans and strategies; (ii) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders; (iii) enter into a formal agreement with federal agency partners; and (iv) establish and maintain procedures for handling recalls of medical devices vulnerable to cybersecurity threats. While FDA disagreed with some of the findings, the Agency again concurred with the recommendations, noting it had implemented many of them during the course of the audit.
For manufacturers of networked medical devices, the takeaway is that cybersecurity is, and will become, an increasingly emphasized aspect of FDA's regulatory oversight. It is apparent from FDA's new draft guidance and the recommendations of OIG that, moving forward, more cybersecurity information will be required than ever before. However, it is also important for device manufacturers to realize that the onus for developing and implementing adequate cybersecurity measures rests primarily with them. As detailed in FDA's Cybersecurity Fact Sheet, FDA does not conduct premarket testing for medical products, and it is the responsibility of the manufacturer to assess its own products and implement adequate risk mitigation measures. Additionally, manufacturers are responsible for the validation of all software design changes, including software changes to address cybersecurity vulnerabilities. FDA recognizes that cybersecurity is a shared responsibility across the entire health care ecosystem; ultimately, it is going to expect that manufacturers take adequate steps to assess their products for cybersecurity risks and are able to provide assurances that the identified risks have been appropriately managed and mitigated.
Three Key Takeaways
- As an ever-greater number of medical devices are connected to the internet, cybersecurity will become an increasingly emphasized aspect of FDA’s oversight.
- FDA has already issued guidance documents that provide cybersecurity recommendations for medical device manufacturers in both the premarket and postmarket contexts.
- In light of recent OIG reports recommending that FDA take an even greater role in addressing and responding to cybersecurity threats, medical device manufacturers should be prepared to provide FDA with documentation demonstrating that cybersecurity risks have been appropriately managed and mitigated.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be send using our "Contact Us" form, which can be found at www.jonesday.com/contactus.
Samir C. Jain
Colleen M. Heisey
J. Todd Kennard
Ian M. Pearson
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.