News | Cybersecurity | December 29, 2016| Dave Fornell

FDA Seeks Management of Cybersecurity in Medical Devices

Postmarket management of cybersecurity in medical devices guidance for industry and FDA now available

The FDA wants to regulate cybersecurity of ICDs and other medical devices.

The FDA has concerns about the cybersecurity of implantable medical devices with wireless connections for patient monitoring or adjustments to how the device functions. Changing the function of an implantable cardioverter defibrillator (ICD) using wireless access to the device could present a major patient safety issue.

As wearable and implantable patient monitoring or therapy devices become more sophisticated with advanced wireless connectivity to extract patient information and change the device functionality, there are growing concerns these technologies will be targets of hackers. The U.S. Food and Drug Administration (FDA) believes this poses a threat to patient safety. The agency announced in December 2016, the availability of the guidance document entitled  "Post-market Management of Cybersecurity in Medical Devices,” (Part 806 (21 CFR part 806))."

The FDA is issuing this guidance to inform industry and FDA staff of the agency's recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The guidance clarifies FDA's postmarket recommendations with regards to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the postmarket management of their medical devices.

The issue of cybersecurity of cardiac implantable devices raised concerns with the Secret Service for former vice president Dick Cheney, who had one of these devices. The issue was also raised in 2016 by a medical device market research firm that published a report alleging these vulnerabilities exist in St. Jude Medical's implantable electrophysiology (EP) devices. Read the article "Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity."

Background on the FDA Cybersecurity Guidance 
On Feb. 19, 2013, the President issued Executive Order 13636 - Improving Critical Infrastructure Cybersecurity, which recognized that resilient infrastructure is essential to preserving national security, economic stability, and public health and safety in the United States. Executive Order 13636 states that cyber threats to national security are among the most serious and that stakeholders must enhance the cybersecurity and resilience of critical infrastructure. This includes 

the healthcare and public health critical infrastructure sector.

The FDA also said Presidential Policy Directive 21 - Critical Infrastructure Security and Resilience (PPD-21), issued on Feb. 13, 2013, tasks federal agencies to strengthen the security and resilience of critical infrastructure against physical and cyber threats such that these efforts reduce vulnerabilities, minimize consequences, and identify and disrupt threats. PPD-21 encourages all public and private stakeholders to share responsibility in achieving these outcomes.

In recognition of the shared responsibility for cybersecurity, the security industry has established resources including standards, guidelines, best practices and frameworks for stakeholders to adopt a culture of cybersecurity risk management. Best practices include collaboratively assessing cybersecurity intelligence information for risks to device functionality and clinical risk. FDA believes that, in alignment with Executive Order 13636 and PPD-21, public and private stakeholders should collaborate to leverage available resources and tools to establish a common understanding that assesses risks for identified vulnerabilities in medical devices among the information technology community, healthcare delivery organizations, the clinical user community, and the medical device community. These collaborations can lead to the consistent assessment and mitigation of cybersecurity threats, and their impact on medical device safety and effectiveness, ultimately reducing potential risk of patient harm.

Guidance Document Details
Part 806 (21 CFR part 806) requires device manufacturers or importers to report promptly to FDA certain actions concerning device corrections and removals. However, the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as "cybersecurity routine updates and patches," are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under part 806. 

For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the agency.

This guidance clarifies changes to devices to be considered cybersecurity routine updates and patches (e.g., certain actions to maintain a controlled risk to health). In addition, the guidance outlines circumstances in which FDA does not intend to enforce reporting requirements under part 806 for specific vulnerabilities with uncontrolled risk. Specifically, FDA does not intend to enforce the reporting requirements when circumstances outlined in the guidance are met within the predefined periods of time (e.g., communicate vulnerability to customers and user community and propose a timeline for remediation within 30 days after learning of the vulnerability; fix the vulnerability and validate the change within 60 days after learning of the vulnerability; actively participate in an Information Sharing Analysis Organization (ISAO)). The agency considers voluntary participation in an Information ISAO a critical component of a medical device manufacturer's comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices.

Public Comments on the Guidance Document
The public can submit comments via the Federal eRulemaking Portal at www.regulations.gov. All comments will be made public.

 

Related Healthcare Cybersecurity Content:

Raising the Bar for Medical Device Cyber Security

Healthcare Industry Lacking in Basic Cybersecurity Awareness Among Staff

Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity

FDA Harshly Criticizes Abbott, St. Jude For Failure to Address EP Device Safety

Healthcare 2015 Data Breaches - Why the Cloud Is Not Responsible

HIMSS: Two-Thirds of Healthcare Organizations Experienced a Recent, Significant Security Incident

How You Should – and Should Not – Be Sharing Medical Information With Patients

How Can Doctors Practice Better Security?

U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information

 

Related Content

The BardyDx Carnation Ambulatory Monitor (CAM) is a P-wave centric wearable ambulatory cardiac patch monitoring and arrhythmia detection device. 

The BardyDx Carnation Ambulatory Monitor (CAM) is a P-wave centric wearable ambulatory cardiac patch monitoring and arrhythmia detection device. 

News | Cardiac Diagnostics | July 29, 2021
July 29, 2021 — A recent clinical study from Overlake Medical Center utilizing the Bardy Diagnostics Carnation Ambula
The FDA has cleared Angel Medical Systems' second-generation AngelMed Guardian device. The implantable cardiac device detects and warns patients if they are having an acute coronary syndrome (ACS) event, including silent heart attacks. The new, second-generation device is enhanced with ease-of-use adaptations and an updated, long life battery that could potentially double the life of the implanted device

The FDA has cleared Angel Medical Systems' second-generation AngelMed Guardian device. The implantable cardiac device detects and warns patients if they are having an acute coronary syndrome (ACS) event, including silent heart attacks. The new, second-generation device is enhanced with ease-of-use adaptations and an updated, long life battery that could potentially double the life of the implanted device

News | Cardiac Diagnostics | July 01, 2021
July 1, 2021 — The U.S. Food and Drug Administration (FDA) has cleared the Angel Medical Systems Inc.
Ophthalmic optical coherence tomography (OCT) scan view of the macula in retina with vessels. Detecting heart disease with OCT imaging of the eye.Getty Images

Ophthalmic optical coherence tomography (OCT) scan view of the macula in retina with vessels. Getty Images
 

News | Cardiac Diagnostics | March 08, 2021
March 8, 2021 — In a new study from Shiley Eye Institute at UC San Diego Health, researchers have identified a potent
Alivecor's pocket ECG system allows consumers or cardiologists to record a single lead ECG. AI algorithms can determine if their ECG is normal or abnormal and identify the arrhythmia.

Alivecor's pocket ECG system allows consumers or cardiologists to record a single lead ECG strip on a smartphone. AI algorithms can determine if their ECG is normal or abnormal and identify the arrhythmia. 

News | Cardiac Diagnostics | March 03, 2021
March 3, 2021 — AliveCor recently announced a new collaboration with AstraZeneca to research new disease management s
A study of more than 100 million Americans in 3,123 counties found a correlation between cardiac death and their level of income. Getty Images Health disparities in cardiovascular disease.

A study of more than 100 million Americans in 3,123 counties found a correlation between cardiac death and their level of income. Getty Images

News | Cardiac Diagnostics | February 02, 2021
February 2, 2021 — A new study has found in the U.S.
A new study highlights the importance of continued public education regarding the risks of cigarette smoking and the failure of dual use with vaping to reduce cardiovascular risk. Getty Images

A new study highlights the importance of continued public education regarding the risks of cigarette smoking and the failure of dual use with vaping to reduce cardiovascular risk. Getty Images

News | Cardiac Diagnostics | January 06, 2021
January 6, 2021 — Smoking traditional cigarettes in addition to using e-cigarettes results in harmful health effects
The Mesuron Inc. Avalon-H90 uses magnetometers to detect myocarditis in patients without any physical contact. It uses ventricular repolarization dynamics analysis software to look for abnormalities. The vendor said it is more specific than using ECG. It detects the multidimensional dynamics of the electrical activity caused by differences in functions of electrical action potential of normal heart tissues and abnormal ones with hypoxia.

The Mesuron Inc. Avalon-H90 uses magnetometers to detect myocarditis in patients without any physical contact. It uses ventricular repolarization dynamics analysis software to look for abnormalities. The vendor said it is more specific than using ECG. It detects the multidimensional dynamics of the electrical activity caused by differences in functions of electrical action potential of normal heart tissues and abnormal ones with hypoxia. 

News | Cardiac Diagnostics | October 06, 2020
October 6, 2020 — A new technology being developed by U.S.-based Mesuron Inc.
With the advent and optimization of nuclear scintigraphy protocols using bone-avid radiotracers, cardiac amyloidosis caused by transthyretin protein (ATTR) can now be diagnosed noninvasively without a costly tissue biopsy. The radiotracer 99mTc-pyrophosphate (99mTc-PYP) binds to deposited ATTR amyloid fibrils in the myocardium and can be visualized using planar and SPECT imaging. Amyloidosis Patient Registry  #Amyloidosis

With the advent and optimization of nuclear scintigraphy protocols using bone-avid radiotracers, cardiac amyloidosis caused by transthyretin protein (ATTR) can now be diagnosed noninvasively without a tissue biopsy. The radiotracer 99mTc-pyrophosphate (99mTc-PYP) binds to deposited ATTR amyloid fibrils in the myocardium and can be visualized using planar and SPECT imaging. This is Figure 2, showing how SPECT imaging allows the reader to distinguish between blood pool activity (ventricular cavity, etc) and myocardial activity and identify regional myocardial differences in radiotracer uptake.

News | Cardiac Diagnostics | March 05, 2020
March 5, 2020 — More than 300 patients have joined the Amyloidosis Patient Registry and it is now available to the en