OIG Recommends FDA Use Pre-submission Program to Evaluate Cybersecurity Risks

September 20, 2018Legal Alerts

In September 2018 the OIG published its report on the FDA’s review practices for medical devices with cybersecurity implications, referred to as “networked medical devices”.[1] The review serves as a reminder to manufacturers who intend to submit applications for the FDA to clear or approve.[2] Notably, the OIG recommends the FDA encourage manufacturers to utilize its pre-submission conferences to discuss cybersecurity issues prior to submission of a 501(k) premarket notification submission or a premarket approval (PMA) submission.[3]

Manufacturers who wish to introduce a medical device that is classified as moderate or high risk into the market must seek FDA clearance or approval. The FDA utilizes a pre-submission program that allows manufacturers to voluntarily obtain non-binding feedback from the FDA regarding their potential or planned submission. A pre-submission is defined as formal written request for feedback from the FDA to be provided in the form of a written response, meeting or teleconference.[4] The pre-submission meeting may serve as a guide in the product development and application processes. Because manufacturers can seek targeted advice that is specific to their product, participation in the program may save the manufacturer money and valuable time.

The FDA recommends applicants strongly consider the pre-submission program when the product involves novel technology or a novel type of risk, such as cybersecurity risk.[5] Cybersecurity is defined by the FDA as the process of preventing unauthorized access, unauthorized modification, misuse or denial of use or unauthorized use of information that is stored, accessed or transferred from a medical device to an external recipient.[6] Networked medical devices are becoming increasingly more common with recent advancements in medical technology and wireless connectivity. [7] Medical devices, like computers, are vulnerable to breaches. Networked medical devices without adequate controls can adversely affect functionality and lead to consumer harm.[8]

For example, in 2015, an independent researcher discovered that unauthorized users were able to remotely access a networked infusion pump.[9] The pump had the ability to be programed remotely using the hospital’s Ethernet or wireless network.[10] An attacker could alter the medication dosage scheduled to be delivered to the patient, which could result in adverse outcomes.[11] The FDA published a user alert and encouraged health care facilities to discontinue use of the pump.[12] 

The FDA also recommends that manufacturers develop a set of cybersecurity controls to ensure the device functions safely.[13] Thus, during the pre-submission process, manufacturers can ask whether a device’s controls are and testing satisfy the FDA’s standard. However, the guidance provided in the discussions with the FDA is not binding. Nevertheless, manufacturers — particularly those who are required to submit a PMA submission — may save considerable time by addressing important cybersecurity concerns earlier in the process.

In consideration of the cybersecurity risk specific to a device, manufacturers must identify specific intentional and unintentional cybersecurity threats, the likelihood of those threats, the potential impact of the threats, and how they will mitigate these threats. They should conduct a full hazard analysis, a traceability matrix that links cybersecurity risks to controls[14], plans for validating and updating software, software supply chain controls, device instructions, and controls for appropriate use, such as antivirus software. [15] For example, manufacturers should consider a myriad of situations that the average user may encounter while using the device that could pose a threat, such as walking through a metal detector at the airport. The FDA recommends that manufacturers use the cybersecurity Framework Core functions as a guide: Identify, Protect, Detect, Respond and Recover.[16]

In order to best utilize the pre-submission process, manufacturers should consider the known cybersecurity threats that exist in similar devices that have been submitted.[17] For example, what vulnerabilities have been identified in other devices by this manufacturer?[18] What controls are in place to prevent loss of data? How do the controls prevent remote third-party user access? Do the controls hinder emergency use of the device? The more forethought the manufacturer has given to cybersecurity concerns upfront, the more valuable the guidance from the FDA will be moving forward in development of the product.

Overall, the FDA has been satisfied with manufacturers’ responses to their cybersecurity concerns in submissions.[19] The OIG recommends that the FDA promote the use of pre-submission meetings when conducting outreach and awareness activities.[20] The FDA has concurred with this recommendation and it has begun steps to implement it.[21]

A link to the OIG’s report can be found HERE.

Should you or your organization need more information about OIG’s recommendations to the FDA, the FDA’s pre-submission process as it applies to networked medical devices or other FDA or cybersecurity issues, please contact your Dinsmore attorney.

 

[1] U.S. Department of Health & Human Services, Office of Inspector General, FDA Should Further Integrate Its Review of CyberSecurity Into the Premarket Review Process for Medical Devices (2018).

[2] FDA clearance is required for most medical devices that are “substantially equivalent” to a device already on the market or marketed before 1976. This is known as the 501(k) submission process. See 21 CFR 807.92(a)(3). The FDA then “clears” the device to be marketed in the U.S. A premarket approval, or PMA, is used to demonstrate to the FDA that a new device is safe and effective through scientific and regulatory review. See 21 CFR 814. The FDA “approves” devices submitted for PMA.

[3] Id.

[4] Food and Drug Administration (FDA), Requests for Feedback on Medical Device Submissions: The Pre-Submission Program and Meetings with Food and Drug Administration Staff: Guidance for Industry and Food and Drug Administration Staff (2017). Available at: https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm311176.pdf.

[5] Id.

[6] FDA, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (2014).

[7] Supra note 1.

[8] Supra note 1.

[9] FDA, Symbiq Infusion System by Hospira: FDA Safety Communication-Cybersecurity Vulnerabilities (2014). Available at: http://wayback.archive-it.org/7993/20170722144742/https:/www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm

[10] Id.

[11] Id.

[12] Id.

[13] FDA, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (2014).

[14] A traceability matrix is a document that links requirements throughout the validation process. This ensures that all requirements are tested in test protocols.

[15] FDA, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (2014).

[16] Id.; National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity. Available at: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

[17] See supra note 1.

[18] Id.

[19] Supra note 1.

[20] Id. 

[21] Id.