By Jim Dickinson
Legacy 510(k)-cleared devices that are being modified and require a new 510(k) submission will need to be evaluated for cybersecurity risks, according to CDRH Office of Device Evaluation policy analyst Abiy Desta.
Desta said in a recent Webinar on the center’s final guidance on content of premarket submissions for management of cybersecurity and medical devices that if a currently marketed device “requires a 510(k) because of changes you've made, that would be up to the discretion of the review branch to see whether cybersecurity risks need to be concerned or whether the device, as it stands alone, poses low risk and the modification you propose could go through without addressing cybersecurity.”
Medical device vulnerability increases as more devices are connected to the Internet and hospital networks, Desta said.
“FDA recognizes that medical device security is a shared responsibility between stakeholders including healthcare facilities, patients, providers, and manufacturers of medical devices,” he explained. The agency recommends the instructions of use and the product specifications of a medical device include information on what cybersecurity controls are expected and the intended environment use . . . The agency recommends that medical device manufacturers provide justifications in their premarket submissions for security functions chosen for the medical device.”
According to Desta, examples of security functions manufacturers may choose to consider include the following:
- Limiting access to the device to authenticated users.
- Terminating sessions after a set period of time where it is appropriate for that use environment.
- Using layered authentication methods.
- Strengthening password protection.
- Taking steps to minimize tampering.
- Requiring authentication before permitting updates.
- Implementing features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use.
- Developing and providing information to end users concerning appropriate actions to take upon detection of cybersecurity events.
- Implementing device features that protect critical functionalities even when device cybersecurity has been compromised.
- Providing methods for retention and recovery of device configuration information.
Desta said the documentation CDRH would like to see in the premarket submission includes hazard analysis, mitigation, and design consideration pertaining to intentional and unintentional cybersecurity risks associated with the device.
He said firms should also include in their submissions a “traceable matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered; a summary describing the plan for providing validated software updates and patches as needed; a summary describing controls that are in place to ensure that the medical device software will maintain its integrity while it is under your control; device instruction for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment.”
Most of the cybersecurity documentation in submissions should reside in the software risk analysis section, Desta said in the Webinar. Asked whether the guidance recommendations will lead to cybersecurity coverage during inspections, he said this is a premarket guidance. “It does not deal with postmarket or enforcement issues,” he said.
Jim Dickinson is MD+DI's contributing editor.
[image courtesy of STUART MILES/FREEDIGITALPHOTOS.NET]