[BreachExchange] 5 Takeaways from FDA's Draft Guidance on Postmarket Management of Cybersecurity Risks in Medical Devices

[Audrey McNeil]

http://www.mddionline.com/blog/devicetalk/5-takeaways-fdas-draft-guidance-management-cybersecurity-risks-medical-devices-03-21-16

Data are becoming an increasingly integral component of medical
technologies, including medical devices. However, the sensitive nature of
healthcare data increases the risk that device companies and their partners
will be targets of cyberattacks and heightens the consequences of a breach.

Recognizing the risks that device makers face, FDA has issued draft
guidance to the industry regarding postmarket management of security risks
for medical devices. The document covers the assessment and management of
cybersecurity risks as well as reporting and remediation of vulnerabilities
that surface after a device is marketed. It also includes FDA’s template
for an effective postmarket security program.

Here are some of the key takeaways from FDA’s draft guidance for the
management of cybersecurity risks for medical device makers.

1.) The draft guidance does not cover all regulatory risks relating to
cyberattacks.

As a document issued by FDA, the guidance is primarily concerned with
protection against cyberattacks that threaten patient health. These are not
the only risks manufacturers face, however.

For example, devices connected to a network or other devices may spread
patient data even further, heightening their risk of attack and increasing
liability in the event of an attack. If a manufacturer’s device or software
creates data, that data could be valuable to hackers, which could cause
financial or other harm to the patient even if the patient’s health is not
directly affected by the breach.

The Federal Trade Commission (FTC) is responsible for enforcing
consumer-privacy laws and has obtained civil fines, restitution, and
structural reforms against companies that were the subject of breaches.

2.) The draft guidance provides no safe harbor.

The draft guidance provides recommendations for companies to identify and
remedy potential risks and offers best practices for designing a postmarket
security program. It notes in a preamble, however, that it does not create
any rights in any person, nor is it binding even on FDA’s own staff.
Moreover, the draft guidance is limited to those cybersecurity
vulnerabilities that could lead to adverse health consequences.

Thus, while manufacturers can use the draft guidance as a starting point
for adopting their own postmarket safeguards, they should work with counsel
to identify the risks so that their device and use of data do not impact
clinical performance. They should also consult a cybersecurity expert who
can incorporate intelligence from the FTC’s latest enforcement actions and
pronouncements outside of the device field.

3.) Postmarket risk management is not a substitute for premarket assessment
of risks.

The draft guidance is limited to postmarket management of cybersecurity
risks. A similar document relating to premarket risk management was
finalized in 2014. As such, the focus of this draft guidance is on the
continual assessment of risks in devices that have already reached the
market.

The draft guidance emphasizes that, from FDA’s perspective, postmarket risk
management cannot substitute for a thorough evaluation of vulnerabilities
before a device reaches the market. On this point, the draft guidance
merely confirms best practices for device manufacturers. Thoroughly
understanding employees’ and partners’ responsibilities regarding security
risks and vetting vulnerabilities and potential consequences of breaches
with counsel and security experts before a device reaches market are the
most efficient means to reduce vulnerabilities down the line. But even the
most thorough premarket evaluation should be supplemented with appropriate
postmarket controls to acknowledge the reality that controls for cyber
threats need to evolve with the threats themselves.

4.) A manufacturer should assess the likelihood of a breach occurring and
consider the severity of an eventual breach.

The draft guidance sets out a useful metric for evaluating cyber threats
and prioritizing risk-mitigation strategies. It suggests that risk
management focus on two characteristics: the exploitabilty of the
cybersecurity vulnerability and the severity of the health impact to
patients if the device is exploited.

An assessment of risks that takes into account both the likelihood of the
risk coming to fruition and the severity of the harm if it does is
consistent with best practices in risk-management. Such an approach
acknowledges that elimination of all negative risks may be neither possible
nor desirable and may itself jeopardize the performance of a given device.

While assessing the exploitability of a vulnerability and its likelihood of
affecting health is a good starting point for risk management, FDA’s draft
guidance is not the end of the cybersecurity inquiry. When companies
evaluate cybersecurity risks—both premarket and postmarket—they should work
with their counsel to identify and mitigate the risks that do not directly
affect patient health.

As noted, the FTC remains the chief privacy enforcer. Vulnerabilities that
expose financial, demographic, or other personal information may constitute
critical risks, even though they fall outside of FDA’s jurisdiction. Thus,
when assessing the likelihood and severity of threats, manufacturers should
take all potential risks into account, rather than just those that affect
health.

5.) Collaboration is encouraged.

The draft guidance encourages companies to form and join cybersecurity
information sharing analysis organizations (ISAOs) to enable them to share
information on potential risks and vulnerabilities. Executive Order 13691,
issued by President Obama in February 2015, ordered the Department of
Homeland Security to “strongly encourage” the formation of ISAOs within
sectors, regions, or other affinities, through which private companies,
governmental agencies, and interest groups could collaborate to detect and
mitigate common security threats. The draft guidance confirms the mandate
of EO 13691 that ISAOs should be open and inclusive, actionable,
transparent, and trusted. FDA has already entered into a Memorandum of
Understanding with one such group—the National Health Information Sharing &
Analysis Center—and openly encourages more.

While sharing information is encouraged from a cybersecurity perspective,
sharing itself may pose other risks. For example, sharing sensitive
commercial information, such as current or recent prices, customers, and
sales volumes, could raise concerns that information sharing elevates
prices in violation of the antitrust laws. Care must also be taken to
protect trade secrets and other sensitive commercial information when
sharing information about cyber threats. For this reason, it remains
prudent to contact counsel when sharing data or information with other
entities, especially competitors.

Conclusion

By now, it is clear that device manufacturers’ health-risk assessment
should include an evaluation of vulnerabilities in their devices caused by
the integration of data into those devices. FDA’s draft guidance on
postmarket management of cybersecurity in medical devices provides
companies with a framework for prioritizing and mitigating those risks,
which can be helpful if integrated into a comprehensive cybersecurity
program.

While the document does provide useful guidance, it is no substitute for
experienced cybersecurity counsel, which can help spot and mitigate risks
that might arise in real-world settings. The draft guidance will be open to
public comments through mid-April, after which it will be finalized by FDA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160322/176835d6/attachment-0001.html>