Written by Joshua T. Foust
In past posts we’ve taken a close look at the Framework for Improving Critical Infrastructure Cybersecurity put forth by the National Institute of Standards and Technology (NIST), exploring its wide-ranging implications for companies across a number of different industries. As we’ve explained elsewhere, cybersecurity is an increasingly hot issue for agencies like the SEC, and the NIST Framework continues to shape how governmental and private actors alike tackle cybersecurity issues.
And this month, the beat goes on: last week, the FDA released its final cybersecurity guidance for medical device manufacturers incorporating the NIST Framework. While not yet mandatory, the FDA strongly recommends that manufacturers follow the guidance in explicitly addressing cybersecurity risks in premarket submissions for medical devices, particularly those that rely heavily on software, access patient data, and connect with electronic networks.
So what, exactly, are the highlights of the FDA’s guidance for medical device manufacturers? And what are the take-away lessons for companies in the industry, whether or not they’re in the process of seeking premarket approval for new devices?
Following the NIST Framework, the FDA recommends that companies focus on five core functions in addressing and managing cybersecurity risks: Identify, Protect, Detect, Respond, and Recover:
- Identify the specific cybersecurity risks posed by the device’s intended use, such as its reliance on electronic networks and the vulnerability of its software, as well as the likelihood of patient harm;
- Protect the device against threats by, for example, requiring passwords or biometric authentication of the device’s user, or by providing physical locks to restrict unauthorized use or access;
- Detect threats through mechanisms that recognize, log, and time security compromises, as well as alert the user;
- Respond by including device features that protect critical functions against threats and that show users what recommended actions to take; and
- Recover by providing methods that allow an authenticated user to retain and rescue the device’s configuration.
Even more concretely, the FDA further recommends that companies now include several specific types of documentation in their device approval submissions:
- A hazard analysis of the cybersecurity risks and corresponding controls considered for the device;
- A traceability matrix linking the device’s actual controls to the risks considered;
- A summary of the manufacturer’s plan for providing validated software updates throughout the device’s lifecycle;
- A summary of anti-malware controls designed to protect the device after it leaves the manufacturer; and
- Device usage instructions and product specifications describing the additional controls recommended for the device’s intended use, such as the use of anti-virus software or firewalls.
Last but not least, the FDA guidance also links to several “consensus standards” that the FDA officially recognizes for IT security.
The FDA’s guidance only reinforces the broader trend across the regulatory landscape. No matter the industry, companies that depend on networking software and firmware can no longer afford to ignore their cybersecurity risks, but the resources and guidance available to industry have never been more robust. And for medical device manufacturers specifically, it is now especially critical that companies seeking premarket approval from the FDA first develop a sound cybersecurity risk management strategy for their products.
