FDA Takes On 2016’s Ubiquitous Issue: Cybersecurity02.11.16
Late last year, President Obama signed the Cybersecurity Act of 2015 into law. This major legislation addresses improvements in cybersecurity related to communication and relationships between the private and public sectors. Part of the bill requires the Director of the National Institute of Standards and Technology (NIST) and the Secretary of Homeland Security to form a Healthcare Industry Cybersecurity Task Force, comprising healthcare industry stakeholders, cybersecurity experts, and any relevant federal agencies or entities. The Task Force will be formed by March 17, 2016 and will convene for one year.
More recently, on January 22, the U.S. Food and Drug Administration (FDA) issued a Draft Guidance titled “Postmarket Management of Cybersecurity in Medical Devices.” The Draft Guidance is intended to clarify the FDA’s postmarket recommendations to emphasize manufacturers’ responsibility to monitor, identify, and address cybersecurity vulnerabilities.
As part of the management and monitoring of cybersecurity risk, the FDA encourages the use and adoption of the “Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institutes of Standards and Technology (NIST) in combination with other regulatory directives and relevant expertise in the private sector. The NIST standards establish a framework intended to facilitate a manufacturer’s cybersecurity compliance with medical device Quality System Regulation (21 CFR 820), including handling complaints, audits, corrective and preventive action, software validation and risk analysis, and servicing.
For premarket devices, the Draft Guidance states that compliance should include the following actions:
- Identification of assets, threats, and vulnerabilities
- Assessment of the impact of threats and vulnerabilities of device functionality and end users/patients
- Assessment of the likelihood of a threat and of a vulnerability being exploited
- Determination of risk levels and suitable mitigation strategies
- Assessment of residual risk and risk acceptance criteria
For postmarket devices, again, relying on NIST standards and the Quality System Regulation, manufacturers must implement comprehensive cybersecurity risk management programs that include the following elements:
- Monitor cybersecurity information sources to identify and detect cybersecurity vulnerabilities and risk
- Understand, assess, and detect presence and impact of a vulnerability
- Establish and communicate processes for vulnerability intake and handling
- Clearly define essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk
- Adopt a coordinated vulnerability disclosure policy and practice
- Deploy mitigations that address cybersecurity risk early and prior to exploitation
Ultimately, processes to identify hazards associated with the cybersecurity of a medical device require determining the degree to which a cybersecurity vulnerability can be exploited as well as the severity of a health impact to a patient if the vulnerability were exploited.
In the announcement in the Federal Register, the FDA specifically welcomed feedback on a variety of matters, such as what factors contribute to a manufacturer’s decision to participate in an ISAO, how and if the FDA should define a “participating member,” and characteristics of an ISAO. Interested parties may submit comments to the FDA until April 21, 2016.
As those already in the healthcare industry know, and as evidenced by the recent collaboration between NH-ISAC and EHNAC, ISAOs implicate the familiar issues with healthcare exchanges. The conversation and comments regarding data sharing and access will likely be heated and not only take place during this comment period, but also continue for the remainder of this year - and years to come.