On December 28, 2016, the FDA issued the Postmarket Management of Cybersecurity in Medical Devices final guidance to inform industry and FDA staff of FDA’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices. The guidance provides specific recommendations as well as encourages manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device. The guidance emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices. The guidance also establishes a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities requires reporting to the FDA. The majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as “cybersecurity routine updates and patches,” are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under 21 CFR part 806.
As written in the FDA guidance, networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to health and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the overall risk to health.
The National Institute of Standards and Technology (“NIST”) Cyber Security Framework (CSF) and NIST Special publication 800-53 provide a foundational framework for managing these requirements in terms of risk; they are not specifically geared towards the unique challenges presented by medical devices versus traditional IT networks. To date, the healthcare industry is still identifying the most appropriate process to incorporate medical device cyber security challenges into traditional IT networks. The risks posed by medical devices to IT networks dramatically increase the challenges faced by the healthcare industry (both HDOs and manufacturers) due to the large increase in the potential attack surface that has not yet been adequately considered or addressed.
Accurately modeling the risk and determining the likelihood of threats presented by each medical device represents a set of challenging requirements (with serious implications) that the U.S. healthcare delivery ecosystem is still in the early stages of addressing and no single risk model can fully account for the numerous levels of risk we face. The FDA has recognized that active participation from multiple key stakeholders in medical devices is crucial to strengthen the national system for medical device postmarket surveillance.
 See FDA Guidance titled: “Distinguishing Medical Device Recalls from Medical Device Enhancements” (http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM418469.pdf).
MDRAP operates as a Risk Analysis Platform. It is particularly useful for helping within the Risk Management Framework regarding:
- Audit-based assessments of initial (baseline) risk assessments for each medical device, generating a Cyber Security Framework (CSF) profile by evaluating the current risk and security controls for each medical device in a healthcare delivery organization (HDO).
- Used as the basis for a desired or "target" CSF profile and to provide an initial assessment of the potential success and impact of risk controls.
- Assisting an HDO in framing the cybersecurity risk as part of a robust multi-tiered organizational Risk Management Framework so various organization management levels have visibility into the current and planned risk, or the changes in risk due to new threats, increased vulnerabilities, or new medical devices.
To start using MDRAP, please reference the Help Desk Articles within the MDRAP system.