JoAnne L. Bronikowski
Cybersecurity vulnerabilities can emerge throughout a device’s lifecycle and potentially result in patient harm or financial losses for providers.
From X-ray systems and backend EMRs or networking interfaces to insulin pumps and mobile software applications, cybersecurity vulnerabilities can emerge throughout a device’s lifecycle and potentially result in patient harm or financial losses for providers.
The US Food and Drug Administration (FDA) is encouraging medical device manufacturers to be more vigilant and build in safeguards throughout the product lifecycle to reduce health and safety risks.
To help structure measures against the evolving threat, on December 27, 2016, the FDA issued its final guidance document, Postmarket Management of Cybersecurity in Medical Devices, which clarifies the agency’s recommendations for managing postmarket cybersecurity vulnerabilities for medical devices. The recommendations apply to current and future marketed and distributed medical devices that are part of an interoperable system, contain software or firmware, or are software applications themselves. This guidance serves as a supplement to the agency’s previously released guidance document, Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.
Key Principles of the New Guidance
- Medical device manufacturers should monitor, identify, and address cybersecurity exploits and vulnerabilities through the establishment of effective postmarket cybersecurity management processes
- A risk-based framework should be used for assessing when cybersecurity-related device changes should be reported to the FDA
- Cybersecurity risk management is a shared responsibility among stakeholders including the medical device manufacturer, the user, the Information Technology (IT) system integrator, Health IT developers, and IT vendors
Agency Recommendations for a Medical Device Manufacturer’s Quality Management System
- Methods to monitor, identify, characterise, and assess cybersecurity vulnerabilities
- Methods to analyse, detect, and assess threat sources
- Processes for intake and handling of identified vulnerabilities
- Processes for verification and validation of software updates and patches for remediation of vulnerabilities
- Policy for vulnerability disclosure and practice
- Threat modeling to define how to maintain the safety and effectiveness of a medical device by developing mitigations that protect, respond and recover from cybersecurity risk
The agency encourages the use and adoption of the voluntary Framework for Improving Critical Infrastructure Cybersecurity that has been developed by the National Institute of Standards and Technology (NIST) with collective input from other government agencies and the private sector. The guidance includes further detail on how a manufacturer can align with this framework in the guidance’s appendix.
In addition, the agency encourages medical device manufacturers to participate in an Information Sharing Analysis Organisation (ISAO). ISAOs gather and analyze critical infrastructure information in order to better understand cybersecurity problems and interdependencies; to communicate or disclose critical infrastructure information to help prevent, detect, mitigate, or recover from the effects of cyber threats; and to voluntarily disseminate critical infrastructure information to its members or others involved in the detection and response to cybersecurity issues.
In alignment with this final guidance from the FDA, ICON will continue to recommend that clients incorporate the management of cybersecurity risks into their risk management program and will encourage clients to consider using a cybersecurity vulnerability assessment tool, and engage with an ISAO. ICON can assist clients in developing cybersecurity programs that proactively control cybersecurity risk. These solutions are device-specific, but typically include removing cybersecurity vulnerabilities or instructing users to incorporate a compensating control as an external safeguard.
For assistance with establishment of a cybersecurity management process or a cybersecurity documentation review to ensure compliance with current regulations, please contact ICON.
In this section
-
Digital Disruption
- AI and clinical trials
-
Clinical trial data anonymisation and data sharing
-
Clinical Trial Tokenisation
-
Closing the evidence gap: The value of digital health technologies in supporting drug reimbursement decisions
-
Digital disruption in biopharma
-
Disruptive Innovation
- Remote Patient Monitoring
-
Personalising Digital Health
- Real World Data
-
The triad of trust: Navigating real-world healthcare data integration
-
Patient Centricity
-
Agile Clinical Monitoring
-
Capturing the voice of the patient in clinical trials
-
Charting the Managed Access Program Landscape
-
Developing Nurse-Centric Medical Communications
- Diversity and inclusion in clinical trials
-
Exploring the patient perspective from different angles
-
Patient safety and pharmacovigilance
-
A guide to safety data migrations
-
Taking safety reporting to the next level with automation
-
Outsourced Pharmacovigilance Affiliate Solution
-
The evolution of the Pharmacovigilance System Master File: Benefits, challenges, and opportunities
-
Sponsor and CRO pharmacovigilance and safety alliances
-
Understanding the Periodic Benefit-Risk Evaluation Report
-
A guide to safety data migrations
-
Patient voice survey
-
Patient Voice Survey - Decentralised and Hybrid Trials
-
Reimagining Patient-Centricity with the Internet of Medical Things (IoMT)
-
Using longitudinal qualitative research to capture the patient voice
-
Agile Clinical Monitoring
-
Regulatory Intelligence
-
An innovative approach to rare disease clinical development
- EU Clinical Trials Regulation
-
Using innovative tools and lean writing processes to accelerate regulatory document writing
-
Current overview of data sharing within clinical trial transparency
-
Global Agency Meetings: A collaborative approach to drug development
-
Keeping the end in mind: key considerations for creating plain language summaries
-
Navigating orphan drug development from early phase to marketing authorisation
-
Procedural and regulatory know-how for China biotechs in the EU
-
RACE for Children Act
-
Early engagement and regulatory considerations for biotech
-
Regulatory Intelligence Newsletter
-
Requirements & strategy considerations within clinical trial transparency
-
Spotlight on regulatory reforms in China
-
Transfer of marketing authorisation
-
An innovative approach to rare disease clinical development
-
Therapeutics insights
- Endocrine and Metabolic Disorders
- Cardiovascular
- Cell and Gene Therapies
- Central Nervous System
-
Glycomics
- Infectious Diseases
- NASH
-
Oncology
- Paediatrics
-
Respiratory
-
Rare and orphan diseases
-
Advanced therapies for rare diseases
-
Cross-border enrollment of rare disease patients
-
Crossing the finish line: Why effective participation support strategy is critical to trial efficiency and success in rare diseases
-
Diversity, equity and inclusion in rare disease clinical trials
-
Identify and mitigate risks to rare disease clinical programmes
-
Leveraging historical data for use in rare disease trials
-
Natural history studies to improve drug development in rare diseases
-
Patient Centricity in Orphan Drug Development
-
The key to remarkable rare disease registries
-
Advanced therapies for rare diseases
-
Transforming Trials
-
Accelerating biotech innovation from discovery to commercialisation
-
Ensuring the validity of clinical outcomes assessment (COA) data: The value of rater training
-
Linguistic validation of Clinical Outcomes Assessments
-
Optimising biotech funding
- Adaptive clinical trials
-
Best practices to increase engagement with medical and scientific poster content
-
Decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
Decentralised and Hybrid clinical trials
-
Practical considerations in transitioning to hybrid or decentralised clinical trials
-
Navigating the regulatory labyrinth of technology in decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
eCOA implementation
- Flexible delivery models
-
Implications of COVID-19 on statistical design and analyses of clinical studies
-
Improving pharma R&D efficiency
-
Increasing Complexity and Declining ROI in Drug Development
-
Innovation in Clinical Trial Methodologies
- Partnership insights
-
Risk Based Quality Management
-
Transforming the R&D Model to Sustain Growth
-
Accelerating biotech innovation from discovery to commercialisation
-
Value Based Healthcare
-
Strategies for commercialising oncology treatments for young adults
-
US payers and PROs
-
Accelerated early clinical manufacturing
-
Cardiovascular Medical Devices
-
CMS Part D Price Negotiations: Is your drug on the list?
-
COVID-19 navigating global market access
-
Ensuring scientific rigor in external control arms
-
Evidence Synthesis: A solution to sparse evidence, heterogeneous studies, and disconnected networks
-
Global Outcomes Benchmarking
-
Health technology assessment
-
Perspectives from US payers
-
ICER’s impact on payer decision making
-
Making Sense of the Biosimilars Market
-
Medical communications in early phase product development
-
Navigating the Challenges and Opportunities of Value Based Healthcare
-
Payer Reliance on ICER and Perceptions on Value Based Pricing
-
Payers Perspectives on Digital Therapeutics
-
Precision Medicine
-
RWE Generation Cross Sectional Studies and Medical Chart Review
-
Survey results: How to engage healthcare decision-makers
-
The affordability hurdle for gene therapies
-
The Role of ICER as an HTA Organisation
-
Strategies for commercialising oncology treatments for young adults
-
Blog
-
Videos
-
Webinar Channel