How to Exempt Your Firm from Cybersecurity Reporting Requirements

Cybersecurity is a concern for connected medical devices, but not all risks are apparent—or materialize—until after a product is on the market. FDA therefore expects manufacturers to address cybersecurity “throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device,” the agency wrote in its December 2016 guidance, “Postmarket Management of Cybersecurity in Medical Devices.” 

The guidance clarified FDA’s enforcement plans and urges industry collaboration, but one of its recommendations—participation in an Information Sharing Analysis Organization (ISAO)—wasn’t necessarily available for medical device manufacturers. Until now.

Frances Cohen

The agency stated in the guidance that if you’re a member of an ISAO, certain reporting requirements may not apply. “But there weren’t any ISAO’s focusing on medical device manufacturers, so we decided to form one,” Frances Cohen, president of Promenade Software Inc., told MD&DI.

In January, Promenade Software launched MedISAO (www.medisao.com), an Information Sharing and Analysis Organization dedicated to improving the cybersecurity of medical devices through education, awareness, and advocacy, the company explained in a statement. Individuals and companies involved in design, manufacturing, or support of medical devices are invited to join MedISAO to collaborate and distribute information about cybersecurity threats and vulnerabilities that may affect device integrity and security.

To run such a community, Promenade set up a “forum and Web site and put processes in place,” Cohen explained. Members receive ongoing cybersecurity risk and threat information. Given the firm’s experience developing embedded medical device software, “We know exactly how certain software patches apply to medical devices, and we can filter out patches so that only the serious ones are included,” she explained. 

The community is designed for both experts and novices. “It is a place to share information that would be protected,” Cohen says. The community will help members evaluate vulnerabilities, share applicable response approaches, and promote best practices.

MedISAO’s mission seems to be in keeping with FDA’s expectations. According to the guidance, “ISAOs are intended to be: Inclusive (groups from any and all sectors, both non-profit and for-profit, expert or novice, should be able to participate in an ISAO); Actionable (groups will receive useful and practical cybersecurity risk, threat indicator, and incident information via automated, real-time mechanisms if they choose to participate in an ISAO); Transparent (groups interested in an ISAO model will have adequate understanding of how that model operates and if it meets their needs); and Trusted (participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002.”

Voluntary participation in an ISAO “is a critical component of a medical device manufacturer’s comprehensive proactive approach to management of postmarket cybersecurity threats,” wrote FDA. “For companies that actively participate in such a program, and follow other recommendations in this guidance, the Agency does not intend to enforce certain reporting requirements of the Federal Food, Drug, and Cosmetic Act.”

FDA offered several examples of device vulnerabilities associated with both controlled and uncontrolled risks of patient harm. In one example, “a manufacturer is made aware of open, unused communication ports,” and “analysis determines that the device’s designed-in features do not prevent a threat from downloading unauthorized firmware onto the device.” In this narrative, “the manufacturer communicates with its customers, the ISAO, and user community regarding the vulnerability, identifies and implements interim compensating controls, develops a remediation plan, and notifies users within 30 days of becoming aware of the vulnerability,” FDA explained. “If the manufacturer actively participates as a member of an ISAO and shares information about the vulnerability within the ISAO, FDA does not intend to enforce compliance with the reporting requirements in 21 CFR part 806. For class III devices, the manufacturer does submit a summary of the remediation as part of its periodic (annual) report to FDA.”

When it comes to ensuring cybersecurity, Cohen told MD&DI that “FDA is putting the responsibility on manufacturers, not on hospital IT departments. Some companies have been nailed for vulnerabilities.”

She has heard companies push back, making statements such as “I’m a small guy, do I care? Will I be targeted?”

She responds by saying, “If you’re part of the ecosystem, you are making everyone vulnerable.”

Daniel Beard

Daniel Beard, Director of MedISAO and Vice President of Technology for Promenade Software, said in a statement that “as medical devices become connected to networks, mobile platforms, and the cloud, security becomes paramount. Cybersecurity vulnerabilities create risks for patients and the community. As Director of MedISAO, I am committed to helping preserve patient safety and trust.”

Promenade Software spoke with MD&DI just before MD&M West 2017, where the software provider demonstrated “Parlay.” The solution is designed specifically for the needs of medical devices to provide secure connectivity between the instrument, mobile (Andriod and iOS), and cloud. It embeds instrumentation and remote diagnostics capabilities into the system at every level, giving developers, researchers, testers, manufacturers, and field service technicians the ability to “see” into the inner workings of the device and diagnose or characterize system behavior, the company stated.

For perspectives on medical device development, plan to attend the conference at Advanced Design & Manufacturing Cleveland March 29-30. You'll learn about the journey from product conceptualization to market entry as well as the emerging technologies that are changing the future of the healthcare landscape.

Device talk Tags: