PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover PDF Search Help Contact

Cyber security threats .pdf

Original filename: Cyber security threats.pdf
Title: https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/
Author: tdraschil

This PDF 1.5 document has been generated by PScript5.dll Version 5.2.2 / Acrobat Distiller 11.0 (Windows), and has been sent on pdf-archive.com on 29/01/2016 at 14:39, from IP address 50.79.x.x. The current document download page has been viewed 401 times.
File size: 133 KB (4 pages).
Privacy: public file

Download original PDF file

Document preview


Page 1 of 4

Related Articles: 4
This copy is for your personal, non-commercial use. For high-quality copies or
electronic reprints for distribution to colleagues or customers, click here or call
+1 (908) 547-2200.
Printed by Mr. Norm Rabin, Maetrics LLC

Responding To Cybersecurity Threats:
FDA Addresses Postmarket Questions
In Draft Guidance
By Ferdous Al-Faruque / Email the Author / View Full Issue
Regulatory & Policy News / Word Count: 1072 / Article # 01160125004 /
Posted: January 20 2016 11:45 AM

Homeland Security Official: Key
To Cybersecurity Is People, Not
“The Gray Sheet” Jan. 28, 2016
FDA Outlines Agenda For
Cybersecurity Workshop
“The Gray Sheet” Jan. 11, 2016
FDA Says It Is Changing Its
Cybersecurity Culture, And
Others Should Too
“The Gray Sheet” Nov. 13, 2015
FDA Proposal For Cybersecurity
Info In Pre-market Submissions
Generates Debate
“The Gray Sheet” Oct. 14, 2013

Executive Summary
FDA issued a draft guidance on how companies should monitor and respond
to potential cybersecurity threats in the postmarket setting. Some
cybersecurity problems will require a recall action, but in most cases urgent
notification to FDA will not be necessary, the document suggests.

Key Documents: 2
Click a document title to review.

Manufacturers of connected medical devices that discover cybersecurity threats
exceeding FDA's acceptable level of risk should immediately report the risk to the
agency unless the issue meets certain exceptions, according to a new draft
On Jan. 15, FDA released the draft guidance
on what device-makers should do
about potential cybersecurity threats to their products when they are already on the
market. The document follows up on a final guidance
the agency released in
2014 on how companies should address cybersecurity issues when submitting a
premarket application. (See "FDA Proposal For Cybersecurity Info In Pre-market
Submissions Generates Debate" — "The Gray Sheet," Oct. 14, 2013.)
“All medical devices that use software
and are connected to hospital and health
care organizations’ networks have
vulnerabilities – some we can proactively
protect against, while others require
vigilant monitoring and timely
remediation,” said Suzanne Schwartz,

When a manufacturer takes
an action to address a
cybersecurity vulnerability
that carries acceptable
residual risk by the agency's

Topics Covered in
this Article
Click a keyword for related
General Topics
Platform Technologies
Post-Market Regulation
Product Recalls
Product Safety
Medical Devices

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/4/responding-to-cybers... 1/29/2016


associate director for science and
standards, FDA will not
strategic partnerships at FDA's Center for
require advance notification
Devices and Radiological Health.
or additional premarket
“Today’s draft guidance will build on the
review or reporting by the
FDA’s existing efforts to safeguard
patients from cyber threats by
recommending medical device
manufacturers continue to monitor and
address cybersecurity issues while their product is on the market.”

Page 2 of 4

In Vitro Diagnostics
Information Technology
Wireless Health

In the majority of cases, when a manufacturer takes an action to address a
cybersecurity vulnerability that carries acceptable residual risk by the agency's
standards, FDA says it will consider it a "routine update or patch," and will not
require advance notification or additional premarket review or reporting by the
FDA will require notification by the company under the agency's recalls regulation
(21 CFR, Part 806
) in some circumstances when a vulnerability holds an
unacceptable residual risk, but there are exceptions.
The agency says it does not intend to enforce urgent reporting of a vulnerability if
the manufacturer meets three requirements. Specifically, the vulnerability must not
have led to a serious adverse event or death; the manufacturer must have
responded to the vulnerability by notifying users and taking action to reduce the risk
to a "controlled" level within 30 days; and the manufacturer is a member of an
"information-sharing analysis organization" (ISAO).
"For a small subset of cybersecurity vulnerabilities and exploits that may
compromise the essential clinical performance of a device and present a
reasonable probability of serious adverse health consequences or death, the FDA
would require medical device manufacturers to notify the agency," the draft
guidance states.

FDA Workshop
Cybersecurity is a major issue facing the medical device industry this year, and
FDA is working to get ahead of the problem. The agency says it is making a cultural
change to proactively find ways to strengthen security measures for connected
devices, but in the end it also says device-makers need to keep an eye out for
potential threats to devices throughout the lifecycle of products. (See "FDA Says It
Is Changing Its Cybersecurity Culture, And Others Should Too" — "The Gray
Sheet," Nov. 13, 2015.)
"FDA recognizes that medical devices and the surrounding network infrastructure
cannot be completely secured. Design, architecture, technology and software
development environment choices may result in the inadvertent incorporation of
vulnerabilities," the draft says. "The presence of a vulnerability does not necessarily
trigger patient safety concerns. Rather, it is the impact of the vulnerability on the
essential clinical performance of the device, which may trigger patient safety
concerns. Vulnerabilities that do not appear to currently impact essential clinical
performance should be assessed by the manufacturer for future impact."
FDA is holding a two-day workshop Jan. 20-21 with industry to discuss the recently
proposed draft guidance, but also to touch on other topics, including a focus on

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/4/responding-to-cybers... 1/29/2016


Page 3 of 4

sharing information to prevent potential hacks and developing standards across the
industry. (See "FDA Outlines Agenda For Cybersecurity Workshop" — "The Gray
Sheet," Jan. 11, 2016.)

Focus On QSR, Information Sharing
The draft guidance clarifies definitions of key cybersecurity terminology FDA uses,
such as threats, controlled and uncontrolled risks, cybersecurity signals, and
essential clinical performance. But the overarching message of the document is that
device makers need to proactively plan for and assess vulnerabilities in a manner
consistent with the Quality System Regulation
"Because cybersecurity risks to medical
devices are continually evolving, it is not
possible to completely mitigate risks
through premarket controls alone," FDA
notes. "It is essential that manufacturers
implement comprehensive cybersecurity
risk management programs and
documentation consistent with the Quality
System Regulation, including, but not
limited to, complaint handling (21 CFR,
Part 820.198
), quality audit (21 CFR,
Part 820.22
), corrective and
preventive action (21 CFR, Part 820.100
), software validation and risk
analysis, and servicing (21 CFR, Part

"The agency considers
voluntary participation in an
information-sharing analysis
organization a critical
component of a medical
device manufacturer’s
comprehensive proactive
approach to management of
postmarket cybersecurity
threats and vulnerabilities,"
the draft guidance states.

A key effort necessary for maintaining proper systems will be for manufacturers of
connected devices to share information through participation in ISAOs, such as the
nonprofit National Health Information Sharing and Analysis Center, which has a
memorandum-of-understanding agreement with CDRH.
"The agency considers voluntary participation in an ISAO a critical component of a
medical device manufacturer’s comprehensive proactive approach to management
of postmarket cybersecurity threats and vulnerabilities, and is a significant step
toward assuring the ongoing safety and effectiveness of marketed medical devices,"
FDA said.
The bottom line, the agency says, is it's important to promote information-sharing
and collaboration between device-makers, users, and the broader public-health
infrastructure to improve understanding of the risks and how to mitigate them
The agency is now recommending that manufacturers consider voluntarily adopting
the National Institute of Standards and Technology's Framework for Improving
Critical Infrastructure Cybersecurity, which includes the core principles of “Identify,
Protect, Detect, Respond and Recover.”
The draft also recommends manufacturers develop processes to communicate
potential risks and how to handle them, and adopt coordinated vulnerability
disclosure policies and practices.

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/4/responding-to-cybers... 1/29/2016


Page 4 of 4

FDA says manufacturers should particularly look out for potential unauthorized
access, modifications, misuse or denial of use, or the unauthorized use of
information that is stored, accessed, or transferred from a medical device to an
external recipient, and, more broadly, for cybersecurity threats that put patient
safety at risk.
Stakeholders can comment on the draft guidance on regulations.gov
docket no. FDA-2015-D-5105 until April 21.


This copy is for your personal, non-commercial use. For high-quality copies or
electronic reprints for distribution to colleagues or customers, click here or call
+1 (908) 547-2200.
Printed by Mr. Norm Rabin, Maetrics LLC

Copyright (c) 2016 Informa Business Intelligence, Inc., an Informa Company. All rights reserved. No part of this article
may be reproduced in any form or incorporated into any information retrieval system without the written permission of the copyright owner.
Online/print subscriptions, reprints, and web posting and distribution licenses are available.
Contact us at (888) 670-8900, +1 (908) 547-2200, or custcare@informa.com.

https://www.pharmamedtechbi.com/publications/the-gray-sheet/42/4/responding-to-cybers... 1/29/2016

Cyber security threats.pdf - page 1/4
Cyber security threats.pdf - page 2/4
Cyber security threats.pdf - page 3/4
Cyber security threats.pdf - page 4/4

Related documents

cyber security threats
fda still lags in cybersecurity
eu trails fda in device cybersecurity
fda biocompatibility
use a novel sterilization
cdrh prioritizes leveraging realword and patient data

Related keywords