FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices (Part 2 of 4)

Risk Assessment and Management in a Dangerous World

Manufacturers of medical devices are faced with ever-increasing cyberattacks that could impact patient safety and the efficacy of useful devices.  One insurance group identified cyberthreats to medical devices as “open and growing”, describing a difficult “real world” scenario involving implantable defibrillators. The article noted that a variety of critically helpful medical devices could have been impacted by hackers seeking to extort money, or, in a darker scenario, cause harm to patients.  Clearly, an individual willing to cause harm to people by gaining control of a medical device could not only hurt individual patients, but also create panic in patient groups who are in need of medical devices to maintain good health.  If patients come to distrust medical devices, their rejection could severely impact the medical community’s ability to effectively treat certain diseases and acute medical issues.  As such, it is critical that manufacturers engage in appropriate risk management, which protects consumers from losing viable health care options, as well as preventing serious attacks on the safety of individual patients.

The FDA’s draft guidelines would require manufacturers to include “risk analysis, risk evaluation (and) risk control” as a part of the lifecycle management of a medical device.  The process must focus on “assessing the risk to the device’s essential clinical performance.” (emphasis in original)  In looking at the risk, the manufacturer must consider “(1) the exploitability of the cybersecurity vulnerability, and (2) the severity of the health impact to patients if the vulnerability were to be exploited”.  The FDA clearly is looking at a risk/benefit analysis that focuses on the likelihood the risk can be exploited and the relative severity of the health impact to patients in the event the of such exploitation.

In assessing the vulnerability of a medical device, the FDA recommends using a vulnerability scoring system which provides a ranking that ultimately is translated into low, medium and high degree of vulnerability to exploitation.  While there are several such scoring systems, the agency quotes from the “Common Vulnerability Scoring System, Version 3.0” as a useful tool.  This tool looks at a myriad of factors, including: attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, availability impact, exploit code maturity, remediation level and report confidence.  In utilizing these concepts, the scoring system ultimately allows the manufacturer to plot the vulnerability of its product as low, medium or high.

The other side of the ledger is assessing the severity of the impact to the patient’s health, if the vulnerability were exploited.  Again, the agency does not require a specific system, but it does quote from “ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices—Application of Risk Management to Medical Devices.  This assessment tool rates the health impact in five categories: Negligible; Minor; Serious; Critical; and Catastrophic.  Obviously, the severity of health impact increases up the continuum.

When a manufacturer assesses both the Exploitability of the vulnerability and the Severity of Impact the Health (if Exploited), it can plot the points graphically and gain additional understanding regarding the severity of the risk.  Obviously, even a low level of Exploitability must be monitored and readied for remediation if the severity of impact to health is catastrophic.  Likewise, a potentially high Exploitability number may not be problematic when compared to a negligible or minor risk.  The scale is not rigid.  The current draft recommends that “manufacturers make a binary determination that the vulnerability is either controlled or uncontrolled using an established process that is tailored to the product, its essential clinical performance and the situation.”

The graph below demonstrates an example of how a company could plot these numbers and utilize the matrix to assist in developing a plan from remediation.

The lighter areas demonstrate controlled risk, while the darker shading indicates uncontrolled risk, which requires remediation.

Stay tuned for "Part Three of Four - Remediating and Reporting Cybersecurity Vulnerabilities" coming soon. Read "Part 1 - Background and Overview of Essential Concepts" here.