FDA Requires Cyber Security Plan Submission for Medical Devices

FDA now requires a cyber security plan in your medical device submission.

On June 14, 2013, FDA issued Draft Guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (“Draft Cybersecurity Guidance”).

In brief, the Draft Cybersecurity Guidance states that manufacturers “should develop a set of security controls to assure medical device cybersecurity to maintain information confidentiality, integrity, and availability.”

Further:

Manufacturers should consider cybersecurity during the design phase of the medical device, as this can result in more robust and efficient mitigation of cybersecurity risks. Manufacturers should define and document the following components of their cybersecurity risk analysis and management plan as part of the risk analysis required by 21 CFR 820.30(g):

• Identification of assets, threats, and vulnerabilities;
• Impact assessment of the threats and vulnerabilities on device functionality;
• Assessment of the likelihood of a threat and of a vulnerability being exploited;
• Determination of risk levels and suitable mitigation strategies;
• Residual risk assessment and risk acceptance criteria.

FDA notes that the “extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach.”

FDA also asks that manufacturers provide justification in their premarket submission (PMA and 510(k)) for the security features chosen, including:

• Limits access to trusted users only
• Ensure trusted content
• Use fail safe and recovery features

FDA specifically asks that the premarket submission discuss:

1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:

• A specific list of all cybersecurity risks that were considered in the design of your device;
• A specific list and justification for all cybersecurity controls that were established for your device.

1. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered;
2. To assure continued safe and effective device use, the systematic plan for providing validated updates and patches to operating systems or medical device software, as needed, to provide up-to-date protection and to address the product life-cycle;
3. Appropriate documentation to demonstrate that the device will be provided to purchasers and users free of malware; and
4. Device instructions for use and product specifications related to recommended anti-virus software and/or firewall use appropriate for the environment of use, even when it is anticipated that users may use their own virus protection software.

Bear the cybersecurity plan in mind in connection with FDA regulation of mobile medical apps, which now require that many mobile applications in the health arena go through 510(k) FDA medical device regulation.

If are developing a mobile app involving transmission of medical data or other health information, contact an experienced FDA attorney who is familiar with legal rules applicable to mobile medical devices and cybersecurity. Call the Cohen Healthcare Law Group‘s FDA attorneys for a consultation.