FDA Ramps Up Its Efforts to Ensure Cybersecurity Risks Are Addressed in Medical Devices

As federal agencies including the U.S. Food and Drug Administration (FDA) and Centers for Medicare & Medicaid Services encourage interoperability and increased sharing of patient information to inform and improve quality of care and decrease costs, the risks inherent in that connectivity are also a significant concern. Laboratories are central to the discussion of interoperability and connectivity as easy transmission and sharing of laboratory test orders and results are critical to treatment decision-making. In the December 2015 issue of National Intelligence Report, we highlighted the OIG’s 2016 Work Plan which included a new project indicating the OIG is concerned about how well the FDA has ensured that networked medical devices at hospitals safeguard electronic protected health information (ePHI) and beneficiary safety. That article indicated that in light of the OIG’s focus, Lisa Gallagher, vice president, Technology Solutions, Healthcare Information and Management Systems Society (HIMSS) North America, predicted the FDA would heighten scrutiny of computerized medical device cybersecurity. The FDA has in fact now issued new draft guidance and held a recent public workshop addressing cybersecurity risks raised by networked medical devices.

FDA Releases Guidance on Safety of Interoperable Devices

Connectivity and interoperability raise not only security issues but also clinical safety and effectiveness issues as well. The FDA issued draft guidance on interoperable medical devices addressing pre-market submission recommendations for devices that interact with other devices or systems, including electronic health record systems. The FDA release announcing the draft guidance stated: “The FDA believes that the use and development of standards that support interoperability of medical devices is vital to creating interoperable systems that are reliable and safe.” The FDA is concerned with the devices’ ability to “safely and effectively exchange and use the exchanged information” and provides manufacturers with issues to consider when designing interoperable medical devices and drafting pre-market submissions and labeling for those devices. The benefit of interoperability, says the FDA, is the “potential to foster rapid innovation at lower cost.” The risk, however, is that without “appropriate functional, performance, and interface requirements” interoperable devices “may lead to the exchange of inaccurate, untimely, or misleading information,” device malfunction or patient injury or death. Therefore, the FDA draft guidance outlines for manufacturers the following considerations: anticipated users of the device and their need to understand clinical use and risks of the device and performance needs; device capabilities, security, verification, and validation considerations; labeling containing functional and performance requirements; and consensus standards for design of devices. The draft doesn’t address compatibility issues and connectivity but rather offers recommendations for what to include in the pre-market submission and labeling for an interoperable device.

FDA Guidance The FDA’s draft guidance, “Postmarket Management of Cybersecurity in Medical Devices,” notes that a “growing number of medical devices are designed to be networked to facilitate patient care” and necessarily include software that “may be vulnerable to cybersecurity threats.” Thus, the agency encourages medical device manufacturers to “address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.” The FDA provides guidance for medical devices containing “software (including firmware) or programmable logic” and software that constitutes a medical device on its own but the guidance doesn’t apply to experimental or investigational medical devices. It addresses post-market surveillance of cybersecurity vulnerabilities. While the majority of “routine updates and patches” won’t require advance notification or reporting, remedies addressing a “small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death” would require agency notification. Among examples of vulnerabilities having impacts that require remediation, the FDA includes a hypothetical hospital report that a medical device fails to operate as intended leading to patient harm. The guidance includes as an appendix a list of elements for an effective postmarket cybersecurity program. Not all vulnerabilities however are fatal—the FDA “recognizes that medical devices and the surrounding network infrastructure cannot be completely secured” and there can be inadvertent incorporation of vulnerabilities into software and devices. The FDA is concerned rather with the impact of those vulnerabilities on “essential clinical performance of the device” which trigger patient safety concerns. Public comments will continue to be accepted regarding the draft guidance through April 21, 2016. Public Workshop FDA also held a two-day workshop Jan. 20-21, 2016, titled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.” The workshop addressed “the current state of medical device cybersecurity” and what can be done to improve security. One focus of the discussion was implementation of a “voluntary, risk-based framework for achieving enhanced cybersecurity” developed by the National Institute of Standards and Technology (NIST) with public and private sector collaboration. Compromised medical devices can malfunction, disrupt services or provide inappropriate access to patient information or endanger integrity of electronic health records and risk adversely affecting patient care. Suzanne Schwartz, MD, MBA, associate director for Science and Strategic Partnerships and Acting Director of Emergency Preparedness/Operations and Medical Countermeasures of the FDA’s Center for Devices and Radiological Health, analogized the workshop in her introductory remarks to a soundstage upon which the participants could come together like the members of an orchestra to change a “cacophony” of different stakeholders’ efforts to a “symphony,” coordinating “the richness and the diversity of efforts in medical device cybersecurity.” She emphasized the importance of cybersecurity to patients who “are at the very heart of everything that we do.” Acting FDA Commissioner Dr. Stephen Ostroff declared the topic of “vital importance” noting that technology “is in a constant state of evolution and change” which offers “great promise” but also requires “tremendous vigilance in response to potentially dangerous or risky applications.” He therefore exhorted the attendees that “as the devices become increasingly sophisticated and more interconnected and more interoperable, it is really vital that we work to make sure that these systems are protected from intrusions and exploitations just like other types of devices.” “We know for instance that the risk that the entire healthcare network could be compromised has grown exponentially over time.” He also reminded attendees that this is not the FDA’s initial efforts to address cybersecurity, noting the workshop and the recently released guidance build on discussions held in 2014 and the NIST voluntary “Framework for Improving Critical Infrastructure Cybersecurity.” In 2014, the FDA also released Final Guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.

Takeaway: While laboratories and other providers seek to attain interoperability and data sharing, the FDA highlights the security risks posed by medical devices that facilitate this goal.