Critiquing FDA Medical Device Cybersecurity GuidanceCommenters Offer Suggestions for Beefing Up Requirements
The Food and Drug Administration is reviewing comments on its proposed cybersecurity guidance for medical devices, including suggestions that it should beef up the guidance with more details on addressing certain security concerns, including software patching and updates.
Meanwhile, it has issued draft guidance clarifying that manufacturers should release information gathered by the devices directly to patients upon request, addressing a gap in HIPAA.
The FDA's draft post-market cybersecurity guidance issued last January recommends that medical device manufacturers "address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device."
The draft guidance emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post-market management of medical devices. "For the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered 'cybersecurity routine updates or patches,' for which the FDA does not require advance notification or reporting," the document notes.
In his comments, Kevin Fu, director of the Archimedes Center for Medical Device Security at the University of Michigan, commends "the FDA leadership for waking up from its cyber-slumber in the 2000s." However, he said the draft guidance has several weaknesses.
For instance, Fu notes that the draft "does not presently catch cybersecurity problems" related to the distribution of post-market software updates or vendors who accidentally spread malware while repairing medical devices.
He also suggests the guidance "should include language that acknowledges the risks of unauthentic software updates."
Fu recommends that the FDA should "separate expectations of patch time from incident discovery time. For instance, simply discovering malware within a few minutes of infection instead of 200 days would immediately reduce risks to healthcare delivery organizations' infrastructure by reducing exposure."
Security vendor Symantec notes in its comments that while the FDA's focus is on cybersecurity concerns related to the safety and effectiveness of medical devices, "the risks resulting from device cyber vulnerabilities are not limited to patient safety."
Other concerns, Symantec says, include device availability, confidentiality and privacy, as well as systemwide cybersecurity. "We believe that ... we should strive to address the complete problem set, and although the non-safety aspects lie outside of the regulatory scope of this document, they should at least be discussed for benefit of the larger community."
Symantec offered an example: "A cybersecurity risk analysis of a digital X-ray system should consider both the risk to calibration data - radiation safety - as well as the risk to PHI stored on the device."
CHIME Chimes In
The College of Healthcare Information Management Executives, an association of healthcare CIOs and CISOs, recommends in its comments that the FDA and the Department of Health and Human Services' Office for Civil Rights "work together to better align and coordinate their implementation guidance in order to provide a holistic cybersecurity ecosystem. Manufacturers should be required to configure their devices with respect to an industry-accepted security standard - a standard that accounts for the basic principles of cybersecurity controls and alleviates these risks."
CHIME also recommends that the guidance should "grant manufacturers with some level of 'safe harbor' protection against regulatory enforcement, provided that they achieve third-party certification, actively participate in a centralized Information Sharing and Analysis Organization and develop security patches in a timely manner."
An FDA spokeswoman tells Information Security Media Group the agency is reviewing all comments received and "will incorporate any necessary changes into the final guidance. When the guidance is final, we will communicate publicly, but we do not have any estimate of when that may be."
In another medical device related move, the FDA has released new draft guidance clarifying that medical device manufacturers should provide patients access to data generated by their devices.
The HIPAA Privacy Rule, which gives patients the right to access their protected health information, generally does not apply to device makers.
The FDA draft guidance appears to be part of the recently ramped-up HHS campaign to promote the ability of individuals to access their health information. HHS views such access "as the foundation for patients to be fully engaged in their care and empowered to make healthcare decisions," says privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
OCR also recently issued guidance materials, including videos, explaining patients' rights under HIPAA to access their "designated record set" of health information from covered entities, such as doctors and hospitals.
"Many of the vendors who are monitoring and collecting information from implantable and wearable medical devices worn by individuals are not subject to the HIPAA rules and would not be required to provide individuals access to their information unless they voluntarily agreed to do so," Holtzman points out. "The HIPAA Privacy Rule guarantees that patients have the right to access their protected health information [but that] would not extend to medical device manufacturers unless they are HIPAA covered entities or a business associate," and most are not, he notes.
The FDA draft guidance is "consistent in general with the approach of HIPAA - and other 'transparency' efforts - to get patients more engaged in their healthcare," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "Access has been a key component of many privacy rules, although historically not too many individuals have taken advantage of this right," Nahra says.
The proposed FDA guidance could potentially have an impact on how medical devices are designed, Nahra says. And the guidance "could have an impact on security risks, depending on how the data is made available to patients. Much of this information already can be available from providers under HIPAA."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the new guidance "may be driven, in part, by the Precision Medicine Initiative, allowing patients to obtain their information and share it for research purposes."
The FDA draft guidance, Dissemination of Patient-Specific Information from Devices by Device Manufacturers, which was released on June 10, notes that the FDA is issuing the document to clarify that although "not generally required under the Federal Food, Drug, and Cosmetic Act ... manufacturers may share patient-specific information recorded, stored, processed, retrieved, and/or derived from a medical device with the patient who is either treated or diagnosed with that specific device."
FDA says it "believes that providing patients with access to accurate, useable information about their healthcare when they request it - including the medical products they use and patient-specific information these products generate - will empower patients to be more engaged with their healthcare providers in making sound medical decisions."
The guidance does not make specific recommendations on how device makers should convey patient-specific information to individuals, nor does it provide suggestions for how to keep the information secure or private.
The FDA is accepting public comment on the draft guidance for 60 days.