On December 28th, The US Food and Drug Administration (FDA) issued its finalized guidance for postmarket cybersecurity management for medical devices.
Most of the recommendations in the final guidance are in line with the draft version released last January, however regulators have made some important changes, specifically related to cybersecurity vulnerability disclosure, participating in Information Sharing Analysis Organizations (ISAOs) and remediating and reporting medical device cybersecurity vulnerabilities.
In general, the final guidance offers details into a framework for medical device manufacturers to establish a postmarket cybersecurity risk management program, with specific criteria for reporting vulnerabilities depending on the risk posed to patients.
Manufacturers should now consider cybersecurity not as a separate concern, but an essential part of a product's total lifecycle.
The final guidance includes a newly-expanded list of critical components for a medical device cybersecurity risk management program which should be considered for the lifecycle of a software process. These include monitoring third party software for possible new vulnerabilities and validating software updates or patches designed to address vulnerabilities.
We've taken a closer look at the three significant changes in the final guidance below.
In the final guidance, regulators recommend manufacturers implement a disclosure policy "acknowledging the receipt of the initial vulnerability report to the vulnerability submitter."
This provision addresses a concern among security experts that some companies don't respond once they receive a vulnerability report regarding their products.
In addition to responses, the guidance also clarifies when cybersecurity vulnerabilities should be reported in the first place.
Just as in the draft guidance, the final recommendations hold that manufacturers will not need to report actions taken to enhance a device's cybersecurity or address vulnerabilities, except in "a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may result in patient harm."
The change pertains to examples of situations where a device change would be considered a routine update or patch, and as such, not be required for reporting under 21 CFR Part 806.
Absent from the draft guidance was a definition of "active participation" in an ISAO, which we've included here:
Both the draft and final versions of the guidance recommend that device manufacturers participate in ISAOs and require active participation to avoid reporting certain cybersecurity related activity to the FDA.
Along with the reporting measures described above, FDA has altered the criteria for needed to be met to avoid reporting uncontrolled vulnerabilities.
These include actions device companies must take within 30 days of discovering a new vulnerability––allowing for 60 days to fix it, validate a change to the product, and distribute a fixed product to consumers.
[Free White Paper:] The Complete Guide to Remediation Projects
Both versions of the guidance recommend manufacturers conduct a cybersecurity vulnerability assessment, in addition to other measures, to determine the risk of patient harm and categorize risks as "controlled" or "uncontrolled." The final guidance lays out the following actions to take within 30 days of learning of a vulnerability:
• Communicate with customers and user community regarding the vulnerability
• Identify interim compensating controls
• Develop a remediation plan to bring the residual risk to an acceptable level
With only a short window of time to develop a comprehensive remediation plan which adequately addresses root cause, it's important to consider all options at your disposal in order to develop an effective plan.
Contact us today to learn more about our remediation services. We pair you with experienced quality professionals to craft comprehensive remediation projects, communicate those plans to regulators, and execute on them through to completion.