Vulnerabilities and Risk in Cybersecurity
FDA states that a cybersecurity vulnerability exists whenever the software provides the opportunity for unauthorized access to the network or the medical device. Cybersecurity vulnerabilities open the door to unwanted software changes that may have an effect on the safety and effectiveness of the medical device. Failure to properly address these vulnerabilities could result in an adverse effect on public health. A major concern with OTS software is the need for timely software patches to correct newly discovered vulnerabilities in the software.
The FDA recommends that the manufacturer conduct a vulnerability analysis, both initially (premarket) and ongoing (post-market). The approach should appropriately address the following elements:
·
Identification of assets, threats, and vulnerabilities;
·
Assessment of the impact of threats and
vulnerabilities on device functionality and end
users / patients;
·
Assessment of the likelihood of a threat and of
a vulnerability being exploited;
·
Determination of risk levels and suitable
mitigation strategies; and
· Assessment of residual risk and risk acceptance criteria.
As mentioned above, and especially software / firmware, initial design and subsequent continuous improvement activities must consider hazards / risk, per ISO 14971. Such risk is focused on the end user – patient and/or clinician. The hazard analysis should address both “normal" as well as “fault” risks, i.e., not just failure mode risk, the most prevalent approach, but also risk posed by the proper function of the product. In such an analysis, the manufacturer must also consider cybersecurity as part of this regular hazard analysis. Exposure to the web, as in the networked devices focused on in this guidance, increases such cybersecurity risks to the patient / clinician. Hazard / risk analysis’ goal is risk mitigation, documented in the Risk Management File and Report (ISO 14971), as well as in the Design History File (21 CFR 820.30). Consider system boundaries, and connections to the external environment. In all such analysis, software must be considered with its associated hardware.
The above is to be supplemented by on-going monitoring of actual and potential vulnerabilities, consistent with the Quality System Regulation (21 CFR part 820), including complaint handling, internal quality audits, CAPA (corrective and preventive action), software validation and risk analysis, and servicing. Such programs should emphasize addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may impact patient safety.
The Agency defines critical
components of such a program to include:
·
Monitoring
cybersecurity information sources for identification and detection of
cybersecurity vulnerabilities and risk;
·
Understanding,
assessing and detecting presence and impact of a vulnerability;
·
Establishing and
communicating processes for vulnerability intake and handling;
·
Clearly defining
essential clinical performance to develop mitigations that protect, respond and
recover from the cybersecurity risk;
·
Adopting a
coordinated vulnerability disclosure policy and practice; and
· Deploying mitigations that address cybersecurity risk early and prior to exploitation.
Postmarket cybersecurity
information may originate from an array of sources including a company’s own
CAPA / warranty / complaint system,
independent security researchers, in-house testing, suppliers of
software or hardware technology, health care facilities, and information
sharing and analysis organizations. To manage postmarket cybersecurity risks
for medical devices, a company should have a structured and systematic approach
to risk management and quality management systems consistent with the CGMPs.
- jel@jelincoln.com
No comments:
Post a Comment