2. The Problem
• More and more Medical Devices are
being designed to be networked
with other patient care systems
Ø Networked devices include software that may
be vulnerable to cybersecurity threats
• Safety and Effectiveness Impact
• Risk to Public Health
Ø
3. The Impact
• Compromised Device Functionality
• Loss of Data Availability or Integrity
Ø Medical
Ø Personal
• Exposure of other connected devices
or networks to security threats
Ø All of the above may lead to potential patient
illness, injury, or death
4. Scope
• Software containing Medical Devices
• Software that is a Medical Device
Note: Guidance Not Applicable to Experimental or Investigational
Devices
5. The Solution - FDA’s
Expectation
• Holistic
Ø Includes the entire Product Lifecycle of the device
– from conception to obsolescence
• Not just a point-in-time intervention
Ø Continual monitoring, including post market
Ø E.g. Monitoring vulnerabilities inadvertently
introduced during patch releases
• Device Manufacturers responsible
Ø Proactive, not reactive, posture expected from
manufacturers
Ø Active, voluntary participation in an ISAO
ISAO: Information Sharing Analysis Organizations, per Executive
Order # 13691, released 13th Feb 2015
6. FDA’s Guidance
• Cybersecurity for Networked Medical
Devices containing OTS Software
Ø Jan 14, 2005
• Content of Premarket Submissions for
Management of Cybersecurity in
Medical Devices
Ø Oct 2, 2014
• Post Market Management of
Cybersecurity in Medical Devices
(Draft)
Ø Jan 22, 2016
Purchasing
Post market
monitoring
Design
7. Key Themes
• Collaboration
• ISAO Participation
• Shared Responsibility
Ø Cognate terms for collaboration and sharing occur
24 times in the document
• Proactive approach
• Risk based approach
• Essential Clinical Performance
Ø This term occurs 58 times in the document
Ø Idea borrowed from IEC 60601-1, but ‘clinical’
added in this document
You approach your
cybersecurity program with
this…
…to preserve
this.
15. End Note
• The NIST Framework is mentioned here at
the very highest level
• The purpose of its mention is to simply
raise an awareness
• A separate slide deck is warranted to
delve deeper into what it is and how it
can be implemented
• Individuals are encouraged to ask
questions or provide comments on the
FDA guidance on post market
management of cybersecurity in medical
devices until April 21st of 2016
Editor's Notes
1
2
3
4
Software includes firmware and/orprogrammable logic
5
6
Implications are:responsible purchasing, recognizing cybersecurity issues up front; Cybersecurity as a design consideration; and continual ongoing monitoring of patches post market