FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices (Part 4 of 4)

The Proper Elements of an Effective Postmarketing Cybersecurity Program

The most practical portion of the FDA’s proposed guidelines is found in the Appendix.  In this Section, the agency attempts to bring together all of the concepts from their recommendations into a cohesive summary of the necessary components of a proper cybersecurity program.  The section discusses five broad concepts drawn from the NIST Framework: (1) Identify; (2) Protect; (3) Detect; (4) Respond and (5) Recover.  All of these concepts are essential to a company’s cybersecurity program.

The first issue is how to properly identify threats.  As a medical device manufacturer, this process is rooted in having a solid definition of “essential clinical performance.”  As you will recall from Part One, “essential clinical performance” is the “performance that is necessary to achieve freedom from unacceptable clinical risk.”  The manufacturer determines the potential severity outcomes if the device is compromised and also the risk acceptance criteria.  This allows the manufacturer to properly “triage” potential vulnerabilities for remediation.  The concept of essential clinical performance is the main criteria in determining whether or not particular cybersecurity vulnerability requires immediate mitigation or some lesser level of response.  It is not enough that the manufacturer simply respond to cybersecurity threats in the field.  Manufacturers need to actively engage in identifying cybersecurity signals and handle such vulnerability information in a way that reduces risk.

The second issue is protecting against potential and known threats.  This requires a manufacturer to conduct a proper vulnerability characterization and assessment.  When measuring the potential exploitability of a known vulnerability, the company should look at “remote exploitability, attack complexity, threat privileges, actions required by the user, exploit code maturity and report confidence.”  Using a scorings system, such as CVSS (“Common Vulnerability Scoring System”) gives additional guidance as to how to quantify the risk and protect against the threat.  This is used in risk analysis and threat modeling.  “Threat modeling” is an important concept, in that it is a procedure that identifies vulnerabilities and then designs countermeasures to mitigate or eliminate the risk, prior to any actual threat taking place.

The third issue is detecting potential threats in the “real” world.  Depending on the sophistication of the device, there may be very little internal ability to detect cybersecurity threats in real time.  Networked devices are largely reliant (and dependent) on the security features of the parent network.  Non-networked devices face different threats and are often even more vulnerable to threats that evade detection.  Manufacturers are encouraged to incorporate design features that “establish or enhance” a device’s ability to detect and capture evidence of a cyberattack.  In addition, the company should also have a procedure in place to assess the impact of a cyberattack across the entire device lineup.

The fourth issue is responding to threats.  In order to reduce the risk to essential clinical performance, compensating controls must be implemented and provided to users to prevent harm.  These remediations include everything from official and permanent fixes to temporary fixes and work-arounds.  The company must respond appropriately to threats, while endeavoring to keep important medical devices functional and safe.

The final issue, which is the device manufacturer’s ability to recover following a cyberattack, is really an outgrowth of following the above guidelines.  If the company has properly assessed the risk of a particular vulnerability, then the company should develop a response that is appropriate based on the risk to essential clinical performance.  If the risk is mitigated, then the device continues to benefit the public, protected from cyberthreats.

In the end, the proposed FDA guidelines are fairly common sense adoptions of accepted cybersecurity principles.  Most of the guidelines are industry-led, and the agency leaves manufacturers significant leeway in developing their own cybersecurity policies within the framework of known and accepted industry standards.  We will continue to track changes to these recommendations as they are further revised by the agency, with input from both industry and citizen groups.

Read "Part 1 - Background and Overview of Essential Concepts" here; "Part 2 - Risk Assessment and Management in a Dangerous World" here; and "Part 3 - Remediating and Reporting Cybersecurity Vulnerabilities" here.