CDRH Finalizes Post-Market Cybersecurity Guidance

January 4, 2017By Allyson B. Mullen

Last week, FDA finalized the guidance document, “Postmarket Management of Cybersecurity in Medical Devices.” We previously blogged on the draft guidance released in early 2016 (here). The final guidance is similar to the draft issued in early 2016. There are, however, several noteworthy and significant edits.

In our view, the most significant of these edits is that FDA has changed nearly all references to “essential clinical performance” to “patient harm.” This change appears to shift the way in which FDA plans to evaluate cybersecurity risk—from essential clinical performance to the potential for patient harm. Specifically, FDA modified the purpose of the guidance to read, “this guidance recommends how to assess whether the risk of patient harm is sufficiently controlled or uncontrolled. This assessment is based on an evaluation of the likelihood of exploit, the impact of exploitation on the device’s safety and essential performance, and the severity of patient harm if exploited.” As exemplified by this quote, patient harm is now a key element of the final guidance.

The draft guidance dedicated several sections to defining and discussing essential clinical performance. It stated:

essential clinical performance means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm.

Thus, while the shift from essential clinical performance to patient harm is significant for purpose of the guidance, it may ultimately be simpler for manufacturers to apply. Essential clinical performance incorporated the concept of harm, but also used more amorphous concepts such as acceptable and unacceptable clinical risk. These elements may have been difficult for manufacturers to determine on a case-by-case basis. Patient harm appears to be more straightforward and in line with standards that the device industry is already used to, including for example, reporting corrections and removals under 21 C.F.R. Part 806, which is required when the action is undertaken to reduce a risk to health.

A few additional important changes include:

  • FDA added a new definition section discussing patient harm. The term “patient harm” was not used at all in the draft guidance. Thus, it was essential for FDA to provide additional clarity regarding this term. The final guidance defines patient harm “as physical injury or damage to the health of patients, including death. Risks to health posed by the device may result in patient harm.”
  • FDA added a new Section IX to detail what it means to actively participate in an Information Sharing Analysis Organization (ISAO). ISAOs are public-private partnerships that, according to the guidance, “gather and analyze critical infrastructure information in order to better understand cybersecurity problems and interdependencies, communicate or disclose critical infrastructure information to help prevent, detect, mitigate, or recover from the effects of cyber threats, or voluntarily disseminate critical infrastructure information to its members or others involved in the detection and response to cybersecurity issues.” Both the draft and final guidances state, “the Agency considers voluntary participation in an ISAO a critical component of a medical device manufacturer’s comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices.”
  • FDA expanded the scope to expressly include mobile medical applications (MMAs). MMAs could have been inferred from the original scope which included all devices.
  • Both the draft and final state that software changes made to strengthen cybersecurity are not typically subject to Part 806 recall reporting requirements so long as they meet certain criteria. One such criteria in the draft guidance required implementing device changes and compensating controls within 30 days of becoming aware of the cybersecurity vulnerability. The final guidance modified this requirement to be that as soon as possible, but no later than 30 days after becoming aware of the cybersecurity vulnerability, a manufacturer must “communicate with . . . customers and user community regarding the vulnerability, identify interim compensating controls, and develop a remediation plan to bring the residual risk to an acceptable level.” The final guidance adds several other requirements regarding this process and timing.
  • The final guidance adds that upgrades to increase confidentiality protection (i.e., cybersecurity) are also not generally subject to Part 806 reporting.
  • Both the draft and final guidances indicate that routine cybersecurity updates and patches will not generally require premarket review. The final guidance adds, however, that cybersecurity routine updates and patches could change other functionality of the device, and therefore must be assessed to determine whether premarket review is required.
  • One of the recommendations in the draft and final guidance for remediating a cybersecurity threat is to “identify and implement compensating controls to adequately mitigate the cybersecurity vulnerability risk.” The final guidance notes that manufacturers should consider the knowledge and expertise necessary to properly implement the recommended control.
  • The final guidance adds a new section titled “Examples of Vulnerabilities Associated with Controlled Risk and their Management.” In this section FDA provides four examples of instances in which a device manufacturer becomes aware of a cybersecurity vulnerability after a device has been commercialized. The examples describe the manufacturer’s evaluation as to whether the risk of patient harm is controlled or uncontrolled and the manufacturer’s response. In all three examples, the risk of patient harm is controlled, and consequently, the resulting routine update or patch to address the cybersecurity vulnerability does not need to be reported to FDA. While these examples are helpful, there are no corresponding examples of when the risk is uncontrolled and reporting under Part 806 would be required.
  • In assessing uncontrolled risk, the final guidance states that “manufacturers should consider the exploitability of the vulnerability and the severity of patient harm if exploited.”

This list of some of the most significant changes in the final guidance highlights a key point we made in our post on the draft guidance: this guidance imposes significant new requirements on manufacturers of devices with potential cybersecurity vulnerabilities. For legacy products, manufacturers may need to consider cybersecurity vulnerability for the first time in its product’s life cycle. This can be a daunting task. However, like the draft guidance, the final guidance provides no additional information as to how FDA plans to enforce the recommendations set out in this guidance. Thus, only time will tell how (or if) FDA will choose to enforce the need for cybersecurity in medical devices in the postmarket setting.

Categories: Medical Devices