An expert view: Advancements in Pre and Postmarket Cybersecurity guidance

Anita Finnegan is a government advisor and an award-winning international expert in cybersecurity risk management. She is a published author and project leader of multiple, internationally regulated, industry standards for medical equipment in healthcare technology. Finnegan is also the founder of Nova Leah, a world leader in the provision of cybersecurity solutions for medical device manufacturers and healthcare providers.

SelectEvidence, Nova Leah’s flagship product, is an expert cybersecurity risk assessment platform that guides medical device manufacturers through the processes of identifying applicable threats to their products and implementing the right security controls to mitigate them.

Increased concern in the medical device domain

The introduction of connected medical devices in the last number of years has brought many benefits to the healthcare industry. It has improved patient care from both a medical and a business perspective. However, because of the complexity of these devices, security is becoming an increasing concern. The major concern in the Medical Device (MD) domain is that while technology is advancing, the processes to support these advancements are lagging.

If you follow Anita Finnegan on social media, which we strongly advise for those interested in cybersecurity risk management for medical devices, you will no doubt notice her championing the global progression in cybersecurity regulations. In France, the National Agency for the Safety of Medicines and Health Products (ANSM) developed draft recommendations on the cybersecurity of medical devices, becoming the first national regulator in Europe to do so. In a similar move in August, UC San Diego Health became the first patient care organisation to appoint a medical director of cybersecurity.

We asked Anita, for her take on how cybersecurity related issues are being addressed from a regulatory perspective and her take on how regulatory bodies around the world are responding to the challenge. We were specifically interested in advancements in Premarket and Postmarket Cybersecurity Guidance. In the following, Ms Finnegan provides some of her key insights.

Premarket Cybersecurity Guidance

In 2014, FDA published the final Premarket Cybersecurity Guidance, titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Guidance for Industry and Food and Drug Administration Staff”. This document sets out recommendations for medical device manufacturers (MDMs) for the process of implementing cybersecurity risk management during the development lifecycle. Although the title of the document includes the word “guidance” and the text within clearly states “contains nonbinding recommendations”, implementing a cybersecurity risk assessment program is mandatory.

The following risk assessment steps are set out in the document:

• “Identification of assets, threats, and vulnerabilities; ·
• Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; ·
• Assessment of the likelihood of a threat and of a vulnerability being exploited; · Determination of risk levels and suitable mitigation strategies; ·
• Assessment of residual risk and risk acceptance criteria”.

The sequence of steps outlined are somewhat similar to the steps MDMs have followed for years to address safety risks i.e. risks that could potentially lead to patient harm. FDA now mandate that a similar process be followed to address cybersecurity risks i.e. risks introduced/caused by the connectivity of MDs. The agency (FDA) encourage MDMs to follow the approach adopted by the National Institute of Standards and Technology (NIST) in the Cybersecurity Framework (CSF). That is - identify, protect, detect, respond, and recover.

MDMs now also need to prepare and submit additional documentation during the premarket assessment to include

1. “Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: a specific list of all cybersecurity risks that were considered in the design of your device; a specific list and justification for all cybersecurity controls that were established for your device.
2. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered;
3. To assure continued safe and effective device use, the systematic plan for providing validated updates and patches to operating systems or medical device software, as needed, to provide up-to-date protection and to address the product lifecycle;
4. Appropriate documentation to demonstrate that the device will be provided to purchasers and users free of malware; and
5. Device instructions for use and product specifications related to recommended antivirus software and/or firewall use appropriate for the environment of use, even when it is anticipated that users may use their own virus protection software.”

It is clear from the above list that the Agency not only requires full visibility of the risk assessment that is carried out during the MD development phase, but also that MDMs take a proactive approach in safeguarding the future of MDs by way of patch management planning.

Postmarket Cybersecurity Guidance

On December 28^th, 2016, FDA published subsequent cybersecurity regulations which sets out a framework for managing cybersecurity issues for connected MDs for the duration of the product lifecycle (until product decommission). Once again, this document calls out the 21 CFR 820.30 which mandates the ongoing monitoring and risk assessment of MDs:

“...monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their [MDMs] postmarket management of medical devices”.

In comparison to the requirements of the premarket cybersecurity guidance, the postmarket cybersecurity guidance presents more challenges for MDMs by way of additional time and people resources required to continuously monitor and manage devices. This guidance specifies that in addition to conducting the risk assessment steps outlined in the premarket assessment, MDMs must also continue:

• “Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
• Maintaining robust software lifecycle processes that include mechanisms for:

• monitoring third party software components for new vulnerabilities throughout the device’s total product lifecycle;
• design verification and validation for software updates and patches that are used to remediate vulnerabilities, including those related to Off-the-shelf software;

• Understanding, assessing and detecting presence and impact of a vulnerability;
• Establishing and communicating processes for vulnerability intake and handling;
• Using threat modelling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond and recover from the cybersecurity risk;
• Adopting a coordinated vulnerability disclosure policy and practice;
• Deploying mitigations that address cybersecurity risk early and prior to exploitation”.

However, the requirement for reporting changes to MDs to the FDA has been alleviated (under certain conditions). Until this time, all changes to an MD required reporting to FDA but within this guidance FDA state that under the following circumstances reporting is not enforced when a change is required due to a vulnerability:

1. “There are no known serious adverse events or deaths associated with the vulnerability;
2. MDMs must communicate knowledge of the vulnerability and the remediation action plan to their customers within 30 days of becoming aware of the vulnerability;
3. MDMs must fix the vulnerability within 60 days of becoming aware of the vulnerability;
4. MDMs actively participate with an Information Sharing and Analysis Organisation (ISAO) and share information about discovered vulnerabilities that impact MDs.”

The postmarket cybersecurity guidance has created significant changes in terms of business processes for MDMs and the industry as a whole. New policies around vulnerability intake, handling, communication and remediation are now required. The guidance also highlights a significant change in the approach for addressing cybersecurity risks. FDA now strongly encourage information sharing in the industry. The agency has entered into multiple Memorandum of Understandings (MOU) with Information Sharing and Analysis Organisations (ISAOs) such as H-ISAC (formerly known as NH-ISAC), MedISAO and Southern California ISAO (SOCAL). Healthcare delivery organisations (HDOs), MDMs, security researchers and regulators are all encouraged to become members of an ISAO. The principle is that each participating member will share information about vulnerabilities affecting MDs with an ISAO. The ISAO will then investigate the vulnerability and alert the rest of the industry on the issue, with recommended resolutions.

Other regulatory body’s cybersecurity expectations

Since 2018, The Australian Therapeutic Goods Administration (TGA) and Health Canada have embarked on a similar journey, though not quite as advanced as US FDA. In July 2019, TGA published the “Medical Device Cybersecurity Guidance and Information for Consultation”. This is the first MD cybersecurity consideration for the Department of Health within the Australian Government. In June 2019, Canada Health published “Guidance Document – Pre-market Requirements for Medical Device Cybersecurity” {Health, 2019 #468}. This guidance outlines requirements relating to MD labelling, premarket approval documentation, device quality, safety and effectiveness, risk assessment and marketing history. In this guidance, Canada Health outline a strategy for cybersecurity across the entire lifecycle (premarket and postmarket).

Ten years ago, the MD industry looked a lot different to how it does today in terms of regulatory expectations. In the next ten years, we expect to see even more progression, especially with rapid advancement in technology surrounding connected medical devices. The need for medical device manufacturers to stay compliant is becoming greater than ever before.

You can visit novaleah.com to learn more about how Anita's company is providing a centralised cybersecurity management platform for medical device manufacturers.