How Are You Managing Your Post market Cybersecurity Vulnerabilities for Medical Devices? What is in the FDA Guidance Document: This document focuses that it is important for device manufacturers to apply comprehensive cybersecurity risk management plans. This is not mere guidance, but it is a regulatory requirement. Before going into detail of this cyber security let us first understand the scope of this regulation, means which devices are considered. Medical device that contains software or firmware including programmable logic and software that itself is medical device. It also covers off the shelf software used. This legislation is made by US FDA so that all stack holders dealing in such medical devices shall ensure that unauthorised entry into network which can do modification, abuse which can harm patient health sometime even death. In December 2016, the CDRH and CBER divisions of the FDA published Guidance for businesses and FDA Staff, Post-market Management of Cybersecurity in Medical Devices. This document is planned to notify industry and FDA staff of the Agency’s recommendations for handling post market cybersecurity vulnerabilities of medical devices. This guidance explains FDA’s post market recommendations and emphasizes that manufacturers should monitor, recognise and address cybersecurity vulnerabilities and activities as part of their post market management of medical devices. This guidance also recommends that manufacturer take note of this and impart some measure in pre-market era. FDA also came out with guidance on that. That guidance recommends that cybersecurity part should be addressed during design and development of medical devices. Design input should consider cyber security vulnerability. Based on risk profile mitigation measures are considered in design and development. This means that design part should consider, 1. Identification of threats and vulnerability. 2. Assessment of the same (1) for patient risk 3. Assessment of same (1) being exploited. 4. Determination of risk level and mitigation measure. 5. Assessment of residual risk and its acceptance. Though Pre-market considerations are good they are not sufficient as cybersecurity threat is constantly evolving process and measure taken during design and development may not be sufficient during long period of device so post market measures are also necessary.
Therefore, it is essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with the Quality System Regulation (21 CFR part 820), including but not limited to complaint handling (21 CFR 820.198), quality audit (21 CFR 820.22), corrective and preventive action (21 CFR 820.100), software validation and risk analysis (21 CFR 820.30(g)) and servicing (21 CFR 820.200). Apart from above, action also involves identifying the risk whenever it evolves. FDA also came out with guidance handling cyber security. • The FDA has recognized ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Processes. • Post market cybersecurity information may originate from an array of sources including independent security researchers, in-house testing, suppliers of software or hardware technology, health care facilities, and information sharing and analysis organizations.(ISAO) It is strongly recommended that manufacturers participate in an ISAO that shares vulnerabilities and threats that impact medical devices. Sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful post market cybersecurity surveillance program. • Vulnerabilities that do not appear to currently present a risk of patient harm should be assessed by the manufacturer for future impact.