FDA Proposes Medical Device Manufacturers Take the Lead in Managing Cybersecurity Threats

February 1, 2016 David Holtzman

Citing potential risks to patient health and safety due to cybersecurity vulnerabilities in medical devices, the Food and Drug Administration (FDA), Center for Devices and Radiological Health (CDRH) has proposed industry guidance calling for medical device vendors to monitor, report and mitigate cybersecurity vulnerabilities and exploits as part of a manufacturer’s post-market management program. The FDA action would apply only to networkable and implantable medical devices that require FDA approval. Many health care technologies, software and consumer oriented applications are not classified as medical devices by the FDA and would not be subject to the proposed surveillance, reporting or mitigation management program.

While the FDA’s medical device cybersecurity proposed guidance would put the onus on manufacturers and vendors to develop monitoring and mitigation programs, healthcare organizations are the primary end users of most networked medical devices. The proposed medical device cybersecurity guidance was the centerpiece of a two day workshop held earlier this week at the agency’s White Oak Campus, bringing together stakeholders representing government, health care organizations, and medical device manufacturers to discuss a work plan to improve surveillance, identification of threats, and response to vulnerabilities impacting networked and implantable medical devices.

Specifically, the FDA’s proposed medical device cybersecurity guidance for medical device manufacturers calls for the industry to proactively plan for and to assess cybersecurity vulnerabilities. The draft guidance recommends that manufacturers should implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities. Critical components of such a program would include medical device manufacturers developing management approaches to:

  • Apply the NIST Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of “Identify, Protect, Detect, Respond and Recover;”
  • Monitor cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understand, assess and detect presence and impact of a vulnerability;
  • Establish and communicate processes for vulnerability intake and handling;
  • Clearly define essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
  • Adopt a coordinated vulnerability disclosure policy and practice; and
  • Deploy mitigations that address cybersecurity risk early and prior to exploitation.

For the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches,” for which the FDA does not require advance notification, additional premarket review or reporting under its regulations. Manufacturers would notify medical device owners and end users of the discovery a cybersecurity vulnerability or exploit and provide the software patch or update to address the risk.

For a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the agency.  The FDA would coordinate with the manufacturer notification to device owners and consumers or recall of the medical device from the marketplace.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Content
2016 Breach Report
2016 Breach Report

The 7th Annual Breach Report examines breaches of PHI that occurred throughout 2016, the current state of c...

Next Article
5 Elements of an Effective Privacy & Security Program
5 Elements of an Effective Privacy & Security Program

In this infographic, you will learn the five elements that should be included in your privacy and security ...