The nature of the security concern

Networked medical devices include critical equipment such as hospital room infusion pumps, diagnostic imaging equipment, and pacemakers. OIG undertook this study after instances where connected medical devices were cleared or approved by the FDA but remained susceptible to cybersecurity threats, such as ransomware and unauthorized remote access.

For example, in 2015, the FDA alerted the public that a networked infusion pump could be remotely accessed and controlled by an unauthorized user who exploits a cybersecurity vulnerability. The FDA encouraged medical providers to phase out these pumps and replace them with equivalents that are less vulnerable to potential hackers who could remotely power off the device or manipulate the medication dosage the pump administered. In another recent incident, the FDA learned that unauthorized users could remotely access and control an implantable cardiac device. Although no actual physical harm is known to have occurred from hacking incidents involving networked medical devices, “white hat” hackers have demonstrated it is possible to gain unauthorized access to such devices, allowing hackers to arbitrarily modify a device’s settings, deplete the device’s battery life, or administer inappropriate and potentially hazardous pacing or shock to a patient.

FDA review process

The FDA regulates networked medical devices using a “total product lifecycle” approach, which consists of two phases: premarket and post-market. The FDA uses its 2014 and 2017 cybersecurity guidance3 to review premarket submissions from manufacturers. These guidance documents are intended to identify issues that that manufacturers should consider in the development life cycle to address design-related security vulnerabilities. In reviewing premarket submissions, the FDA specifically assesses whether a networked medical device is safe and effective for its intended use, which includes an evaluation of its cybersecurity vulnerabilities. More recently, the FDA has begun incorporating cybersecurity into the special controls that govern some networked medical devices.⁴

In addition, the FDA provided manufacturers with post-market cybersecurity guidance in 2016.⁵  Please see our prior client alert for more expansive discussion of these FDA guidance documents.⁶ The FDA published this guidance to govern its own review of cybersecurity issues and to assist connected device manufacturers in more effectively managing cybersecurity risks.

FDA staff also use information about previously identified cybersecurity risks when conducting device reviews. For example, in its review of a submission for an insulin pump that used certain software, FDA reviewers will take into account a widely known password vulnerability that was identified in a similar device that was marketed by the same manufacturer.

In some cases, the FDA has rejected some devices in the final clearance stage because of insufficient cybersecurity. FDA staff report that they often receive submissions that insufficiently address cybersecurity at the initial stages, in spite of the available guidance reports. FDA reviewers frequently need to request additional cybersecurity documentation from manufacturers during the premarket review process.

OIG recommendations

OIG found that the FDA could integrate cybersecurity more comprehensively into its premarket device review process in three ways.

Pre-Submission Program meetings

First, OIG recommends that the FDA promote the use of its Pre-Submission (Pre-Sub) Program to address cybersecurity-related questions. The FDA’s Pre-Sub Program enables a manufacturer to voluntarily seek and obtain formal, targeted feedback from the FDA on the design, development, or testing of its medical device or its premarket submission.⁷

Revising the Refuse To Accept checklists to require cybersecurity documentation

Second, OIG recommends that the FDA include cybersecurity documentation as a criterion in its current Refuse To Accept checklists, which the agency uses to screen submissions against minimum criteria. 

Updating the Smart template to prompt cybersecurity questions

Third, the FDA’s Smart template, which the FDA uses to guide its reviews of submissions, does not prompt FDA reviewers with specific cybersecurity questions and lacks a section for recording the results of the cybersecurity review. OIG stated that the absence of a dedicated cybersecurity section in the Smart template may result in a failure to perform cybersecurity reviews and/or less consistent cybersecurity reviews. OIG recommends that the FDA add cybersecurity as an element in the Smart template.

Conclusion

Notably, the FDA has already expressed its agreement with all three recommendations and intends to include them in its next update of these items. Medical device manufacturers should anticipate that the FDA will promulgate new policies and procedures responsive to OIG’s recommendations in the near future. In particular, the FDA’s premarket guidance provides cybersecurity recommendations that may be burdensome to incorporate late in the development life cycle. Manufacturers concerned about the FDA’s cybersecurity requirements should consider taking the following steps:

• Develop a cybersecurity plan that identifies security risks associated the use of the networked device, including hazards related to its use of software or network connectivity. Include in the cybersecurity plan a cybersecurity vulnerability and management process to assure software functionality. The vulnerability and management process should account for all security controls implemented to address the risks associated with the networked device.
• Implement encryption for device storage and for any network connections, particularly those that involve the storage or transmission of sensitive data, including personal information.
• Incorporate risk assessments and security testing as part of the device development life cycle. 

1. U.S. Dep’t of Health & Human Servs., Office of the Inspector General, OEI-09-16-00220, FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices 1 (Sept. 2018).
2. For example, the FDA rejected one manufacturer’s premarket submission for a cardiovascular software diagnostic device because it briefly discussed the device’s security risk and controls, but did not identify hazards related to its use of software or network connectivity. In response, the manufacturer provided the FDA with a full cybersecurity plan and, among other things, updated its traceability matrix linking the device’s risks and controls. The FDA approved the updated submission.
3. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices.
4. Special controls are specific risk-mitigation measures established by the FDA for a certain category of device. They are intended to provide the FDA (and the public) with a reasonable assurance of safety and effectiveness for the applicable device. Once established, a special control must be discussed and accounted for in a 510(k) premarket notification. The FDA’s recent De Novo Classification Order for contraception software added a cybersecurity risk-mitigation measure into the special controls governing contraception software regulated under 21 CFR § 887.573. The special control requires all premarket notification submissions to include a “cybersecurity vulnerability and management process to assure software functionality.” FDA De Novo Classification Order.
5. Postmarket Management of Cybersecurity in Medical Devices.
6. Medical Device Security: FDA Releases Final Guidance On Interoperable Medical Devices; DRI - The Voice of the Defense Bar; The Internet Of Medical Things Raises Novel Compliance Challenges; FDA Announces Plans to Improve Safety and Advance Innovation of Medical Devices
7. Requests for Feedback on Medical Device Submissions: The Pre-Submission Program and Meetings with Food and Drug Administration Staff. 

Client Alert 2018-203