Among the things you need to know: The guidance doesn't cover all regulatory risks related to cyberattacks and provides no safe harbor for device makers.

Richard M. Martinez and Ryan W. Marth

Data are becoming an increasingly integral component of medical technologies, including medical devices. However, the sensitive nature of healthcare data increases the risk that device companies and their partners will be targets of cyberattacks and heightens the consequences of a breach.

Recognizing the risks that device makers face, FDA has issued draft guidance to the industry regarding postmarket management of security risks for medical devices. The document covers the assessment and management of cybersecurity risks as well as reporting and remediation of vulnerabilities that surface after a device is marketed. It also includes FDA’s template for an effective postmarket security program.

Here are some of the key takeaways from FDA’s draft guidance for the management of cybersecurity risks for medical device makers.

1.) The draft guidance does not cover all regulatory risks relating to cyberattacks. 

As a document issued by FDA, the guidance is primarily concerned with protection against cyberattacks that threaten patient health. These are not the only risks manufacturers face, however.

For example, devices connected to a network or other devices may spread patient data even further, heightening their risk of attack and increasing liability in the event of an attack. If a manufacturer’s device or software creates data, that data could be valuable to hackers, which could cause financial or other harm to the patient even if the patient’s health is not directly affected by the breach.

The Federal Trade Commission (FTC) is responsible for enforcing consumer-privacy laws and has obtained civil fines, restitution, and structural reforms against companies that were the subject of breaches. 

2.) The draft guidance provides no safe harbor.

The draft guidance provides recommendations for companies to identify and remedy potential risks and offers best practices for designing a postmarket security program. It notes in a preamble, however, that it does not create any rights in any person, nor is it binding even on FDA’s own staff. Moreover, the draft guidance is limited to those cybersecurity vulnerabilities that could lead to adverse health consequences.

Thus, while manufacturers can use the draft guidance as a starting point for adopting their own postmarket safeguards, they should work with counsel to identify the risks so that their device and use of data do not impact clinical performance. They should also consult a cybersecurity expert who can incorporate intelligence from the FTC’s latest enforcement actions and pronouncements outside of the device field.   

3.) Postmarket risk management is not a substitute for premarket assessment of risks.

The draft guidance is limited to postmarket management of cybersecurity risks. A similar document relating to premarket risk management was finalized in 2014. As such, the focus of this draft guidance is on the continual assessment of risks in devices that have already reached the market.

The draft guidance emphasizes that, from FDA’s perspective, postmarket risk management cannot substitute for a thorough evaluation of vulnerabilities before a device reaches the market. On this point, the draft guidance merely confirms best practices for device manufacturers. Thoroughly understanding employees’ and partners’ responsibilities regarding security risks and vetting vulnerabilities and potential consequences of breaches with counsel and security experts before a device reaches market are the most efficient means to reduce vulnerabilities down the line. But even the most thorough premarket evaluation should be supplemented with appropriate postmarket controls to acknowledge the reality that controls for cyber threats need to evolve with the threats themselves.  

4.) A manufacturer should assess the likelihood of a breach occurring and consider the severity of an eventual breach.

The draft guidance sets out a useful metric for evaluating cyber threats and prioritizing risk-mitigation strategies. It suggests that risk management focus on two characteristics: the exploitabilty of the cybersecurity vulnerability and the severity of the health impact to patients if the device is exploited.

An assessment of risks that takes into account both the likelihood of the risk coming to fruition and the severity of the harm if it does is consistent with best practices in risk-management. Such an approach acknowledges that elimination of all negative risks may be neither possible nor desirable and may itself jeopardize the performance of a given device.

While assessing the exploitability of a vulnerability and its likelihood of affecting health is a good starting point for risk management, FDA’s draft guidance is not the end of the cybersecurity inquiry. When companies evaluate cybersecurity risks—both premarket and postmarket—they should work with their counsel to identify and mitigate the risks that do not directly affect patient health.

As noted, the FTC remains the chief privacy enforcer. Vulnerabilities that expose financial, demographic, or other personal information may constitute critical risks, even though they fall outside of FDA’s jurisdiction. Thus, when assessing the likelihood and severity of threats, manufacturers should take all potential risks into account, rather than just those that affect health.

5.) Collaboration is encouraged.

The draft guidance encourages companies to form and join cybersecurity information sharing analysis organizations (ISAOs) to enable them to share information on potential risks and vulnerabilities. Executive Order 13691, issued by President Obama in February 2015, ordered the Department of Homeland Security to “strongly encourage” the formation of ISAOs within sectors, regions, or other affinities, through which private companies, governmental agencies, and interest groups could collaborate to detect and mitigate common security threats. The draft guidance confirms the mandate of EO 13691 that ISAOs should be open and inclusive, actionable, transparent, and trusted. FDA has already entered into a Memorandum of Understanding with one such group—the National Health Information Sharing & Analysis Center—and openly encourages more.  

While sharing information is encouraged from a cybersecurity perspective, sharing itself may pose other risks. For example, sharing sensitive commercial information, such as current or recent prices, customers, and sales volumes, could raise concerns that information sharing elevates prices in violation of the antitrust laws. Care must also be taken to protect trade secrets and other sensitive commercial information when sharing information about cyber threats. For this reason, it remains prudent to contact counsel when sharing data or information with other entities, especially competitors.

Conclusion

By now, it is clear that device manufacturers’ health-risk assessment should include an evaluation of vulnerabilities in their devices caused by the integration of data into those devices. FDA’s draft guidance on postmarket management of cybersecurity in medical devices provides companies with a framework for prioritizing and mitigating those risks, which can be helpful if integrated into a comprehensive cybersecurity program.

While the document does provide useful guidance, it is no substitute for experienced cybersecurity counsel, which can help spot and mitigate risks that might arise in real-world settings. The draft guidance will be open to public comments through mid-April, after which it will be finalized by FDA.  

Richard M. Martinez is the chair of the privacy and cybersecurity litigation practice at Robins Kaplan LLP.

Ryan W. Marth is a principal in Robins Kaplan LLP's health and life sciences industry group.

[image courtesy of DAVID CASTILLO DOMINICI/FREEDIGITALPHOTOS.NET]