On Jan. 22, 2016, the U.S. Food and Drug Administration (FDA) issued draft guidance on post market guidance and cybersecurity related to medical devices. Postmarket is the phase where the device is already being sold after obtaining the appropriate FDA approvals. Currently, there is a 90-day comment period before any final guidance is released. This guidance is important for multiple reasons:
1. It underscores the importance of patient education about their devices;
2. It serves as a reminder about cybersecurity vulnerabilities and their potential impact; and
3. It underscores reporting obligations in the event of a breach.
The term “medical device” is broad and encompasses everything from a titanium rod that is inserted into the femur to repair a fracture to pacemakers, which utilize software to regulate the heart’s rhythm and provide feedback to the physician. The FDA’s guidance applies to “the following: “1) medical devices that contain software (including firmware) or 147programmable logic, and 2) software that is a medical device.” Like any networked computer system, medical devices can be exploited and “may represent a risk to the safety and effectiveness of medical devices.” Because of this risk, patient education, cybersecurity vulnerabilities and reporting obligations are addressed herein.
As part of the patient education process, providers need to fully explain how the device works and what the maintenance requirements, including cybersecurity, are needed for that particular item. If software updates or logins are required, it would be prudent for a provider to have the patient sign an Attestation of Understanding form and, when necessary, execute an informed consent document. Because of the potential impact on outcomes and health, making sure that the patient appreciates the risks and understands how the device works is critical. Physicians should work with manufacturers to make sure that patient education pieces are user friendly and comprehensive.
In any industry, cybersecurity is a focal point of business. Having one’s credit card compromised is one thing, having one’s heart or brain affected is another. Hence, the goal of the guidance is to make manufacturers, providers and, in turn, patients aware of the risks and how to mitigate them. According to the FDA, “[e]ffective cybersecurity risk management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity. An effective cybersecurity risk management program should incorporate both premarket and postmarket lifecycle phases and address cybersecurity from medical device conception to obsolescence.” Therefore, performing software updates and adhering to the manufacturer’s instructions is crucial.
Appreciating that not all medical devices or security vulnerabilities are created equal, the FDA set forth the following:
This guidance clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices. For the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches,” for which the FDA does not require advance notification or reporting under 21 CFR part 806. For a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the Agency.
Hence, it is incumbent upon both the providers and the medical device companies to know these standards. Cybersecurity is becoming an ever increasing aspect of life. There are steps that all parties can and should take to mitigate the risk and optimize patient outcomes.