In draft guidelines scheduled to be issued on January 22, 2016 the Food and Drug Administration has served notice that it will focus increasing attention on the patient safety risks associated with Internet connected medical devices, and will require documented proof of management of those risks.
The introduction to the guidelines sets the theme for the FDA’s new vigilance in this area by succinctly tying cybersecurity vulnerabilities to the potential for physical harm to patients:
The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health.
A keystone phrase in this paragraph is “throughout the product life cycle.” The FDA Guidelines “suggests” that manufacturers establish risk management protocols, for as long as the device remains in service, to identify cybersecurity vulnerabilities (such “suggestions” often become regulatory metrics). This will comprise establishing and documenting procedures for assessing risks that affect performance of the device and vulnerabilities that could result in the device being compromised by intrusion and/or reprogramming, with malfunction and harm to the patient as a result.
The FDA has also “suggested” a reporting protocol for certain security flaws, and those that result in serious injury or death must be reported to the FDA. As an example of such reporting requirements, the agency postulated intrusion into and reprogramming of a pacemaker or defibrillator. This shows, perhaps, that the FDA is sensitive to public perception that life can imitate art, since it was widely reported in 2013 that former Vice President Dick Cheney had the wireless capability of his cardiac device disabled after he watched an episode of the Showtime series Homeland, in which a vice president was assassinated by a group that had hacked into his pacemaker.
Connected medical device manufacturers should take notice of these new guidelines and their protocol and documentation requirements, but also the idea that concerns of regulators, as well as the potential customer base, can be influenced by popular culture in a way that can increase cybersecurity compliance requirements. Security by design may be the most efficient means to risk management.
If you require assistance with FDA cybersecurity compliance for connected medical devices, please contact Kenneth N. Rashbaum.