Wearable Gizmos vs. Medical Devices: What should Companies do to Comply With FDA Cybersecurity Recommendations?

Transcription

1 Wearable Gizmos vs. Medical Devices: What should Companies do to Comply With FDA Cybersecurity Recommendations? From watches and apps that measure users heart rate and fitness goals to contact lenses that monitor glucose levels and hats that monitor calorie consumption new wearable gizmos have caused shades of grey within the world of cybersecurity regulation. The FDA recently released two sets of guidelines to help clarify which devices it will regulate from a cybersecurity perspective. On October 2, 2014, the FDA issued Final Guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices [1] ( Medical Device Guidelines ) to encourage device[2] ( medical device ) manufacturers to consider cybersecurity risks in the design and development of their medical devices to minimize potential patient/consumer risks from cybersecurity incidents.[3] And, on January 20, 2015, the FDA issued General Wellness: Policy for Low Risk Devices Draft Guidance for Industry and Food and Drug Administration Staff [4] ( General Wellness Device Guidelines ). These guidelines indicate the FDA will not regulate General Wellness Devices (as defined below), but it will regulate medical devices. This piece helps companies assess whether their products are General Wellness Products (which the FDA does not currently regulate) or medical devices (for which the FDA recommends cybersecurity by design), and it helps companies developing medical devices determine what steps they should take to comply with the FDA s recommendations. 1. FDA s Medical Device Guidelines The FDA states in the Medical Device Guidelines that medical device manufacturers should consider cybersecurity while designing medical devices, including the following: (a) identification of assets, threats and vulnerabilities; (b) assessment of the impact of threats and vulnerabilities of device functionality and end users/patients; (c) assessment of the likelihood of a threat and of a vulnerability being exploited; (d) determination of risk levels and suitable mitigation strategies; and (e) assessment of residual risk and risk acceptance criteria. The FDA further recommends medical device manufacturers use the following cybersecurity framework to guide their device development: [5] A. Identify Some medical devices create more risk of cybersecurity incidences than other devices because of their design and intended uses. Companies should consider the following to determine the level of risk involved for their device: i. Medical devices capable of connecting to another device, the Internet or other network or to portable media (i.e., USB or CD) are more vulnerable to cybersecurity threats than non-connected devices. The extent to which security controls are needed depend on the device s intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited and the probable risk of patient harm from a cybersecurity breach.

2 B. Protect and Detect Once companies have identified the level of risk for their devices, they should develop a plan for detecting security compromises and protecting consumer. The FDA recommends companies consider the following: i. Balance cybersecurity safeguards vs. usability of the device in its intended environment (i.e., home vs. hospital), and make sure the controls are appropriate to the users. Provide justification in premarket submissions for the security functions chosen for the device. i Types of security functions: a. Limit Access to Trusted Users Only 1. Authenticate users (i.e., user ID, password, smartcard, biometric) 2. Use timed methods to terminate sessions 3. Use a layered authorization model different users get different privileges based on their role 4. Avoid hardcoded passwords or common words that are the same for each device; limit public access to passwords 5. Use physical locks on devices 6. Require user authentication or other controls before permitting software or firmware updates b. Ensure Trusted Content 1. Restrict software updates or firmware updates to authenticated code (i.e., signature verification) 2. Use systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer 3. Ensure capability of secure data transfer to and from the device, and when appropriate, use methods for encryption 4. Implement features that allow for security compromises to be detected. C. Respond and Recover The FDA recommends that companies take the following proactive steps in the event their devices are s subject to a cybersecurity event: i. Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event i Implement device features that protect critical functionality, even when the device s cybersecurity has been compromised Provide methods for retention and recover of device configuration by an authenticated user. C. Enforceability The FDA s recommendations in the Medical Device Guidelines are not legally enforceable. They should be viewed only as suggested recommendations for companies that manufacture wearable devices and medical devices. This said, companies that fail to implement these suggestions may experience problems with their premarket submissions (such as the FDA requiring the submission of additional materials which will trigger multiple rounds of review), and ultimately not be able to obtain 501(k) clearance. 2. FDA s General Wellness Device Guidelines The FDA created a carve-out from these suggestions for General Wellness Products (defined below). The FDA stated in the General Wellness Device Guidelines that it will not regulate General Wellness Products, and General Wellness Products are not subject to premarket (501(k)) notification requirements, registration, labeling requirements, good manufacturing practice requirements and medical device reporting requirements. 2

3 The General Wellness Device Guidelines defines General Wellness Products as a product that has an intended (1) use that relates to a maintaining or encouraging a general state of health or a healthy activity, or (2) use claim that associates the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in the health outcomes for the disease or condition. General Wellness Products excludes devices that present inherent risks to a user s safety, including devices that: (a) are invasive; (b) involve intervention or technology that may pose a risk to a user s safety if device controls are not applied (i.e., lasers, radiation exposure or implants; (c) raise novel questions of usability; or (d) raise questions of biocompatibility.[6] A. Products Maintaining or Encouraging a General State of Health Devices only fall within the first prong of the General Wellness Products definition (i.e., products that maintain or encourage a general state of health or healthy activity ) if they do not make any reference to diseases or conditions. For further clarity, the first category of general wellness claims relate to: (a) weight management; (b) physical fitness, including products intended for recreational use; (c) relaxation or stress management; (d) mental acuity; (e) self-esteem (i.e., devices with a cosmetic function that make claims related only to self-esteem); (f) sleep management; or (g) sexual function.7 The following are specifically excluded from the first prong of the General Wellness Products definition: (i) treat or diagnose obesity; (ii) treat an existing eating disorder, such as anorexia; (iii) treat anxiety; (iv) computer game that will diagnose or treat autism; (v) treat muscle atrophy or erectile dysfunction; (vi) restore a structure or function impaired due to a disease (i.e., prosthetic device that enables amputees to play basketball). B. Associating Healthy Lifestyle with Helping Reduce Chronic Diseases or Conditions The second prong of the General Wellness Products definition (i.e., products that have a use claim that associates the role of healthy lifestyle with helping to reduce the risk of certain diseases or conditions) includes products that: (a) may help to reduce the risk of certain chronic diseases or conditions; and (b) may help living well with certain chronic diseases or conditions. In both cases, the claim that healthy lifestyle choice may play an important role in health outcome should be widely and generally accepted (i.e., in peerreviewed scientific publications). 3. What Does Your Company Have to Do to Comply? A. Identify Whether Your Company s Product is a Device or a General Wellness Product Given the transformative nature of many wearable gizmos and medical devices in development and in the market, it may be difficult to determine whether a product falls within the General Wellness Product exception and is exempt from the FDA s suggestions. In addition to the guidance above, the General Wellness Device Guidelines provides a Decision Algorithm which asks questions about the device to help determine whether it falls within the General Wellness Product exception. Companies should also consider whether the Center for Devices and Radiological Health ( CDRH ) regulates products that are of the same type as the product in question. The CDRH has special controls for certain devices if they can cause injury or trauma to patients. Therefore, these types of devices would not be considered low-risk or General Wellness Products. If it still is not clear, the company should ask the FDC to provide an opinion as to whether a product falls within the General Wellness Product exception. B. For Both Wearable Gizmos and Medical Devices Identify other Laws that May Apply The Medical Device Guidelines are the tip of the iceberg with respect to privacy and data security law compliance. A thorough analysis should be done to determine which laws may apply. Start first by considering whether your business collects, uses, processes, stores or has access to confidential information. If so, determine whether it is employee data, patient data, customer data or data from a third party organization. Is the confidential information primarily intellectual property or other data? Once you complete this assessment, you can identify which laws may apply. 3

4 C. Additional Steps for Medical Devices -- Provide the Following Information with Premarket Submissions As stated above, the Medical Device Guidelines are not enforceable; however a company s failure to implement the guidelines may result in the inability to receive 501(k) clearance. The FDA recommends that device manufacturers provide the following documentation with respect to submissions.[8] i. Design considerations pertaining to intentional and unintentional cybersecurity risks a. A list of cybersecurity risks that were considered in the device design b. A list and justification for all cybersecurity controls that were created for the device A matrix linking cybersecurity controls to the cybersecurity risks that were considered i Plan for providing validated software updates throughout the lifecycle of the device iv. Controls in place that assure the medical device software will be free of malware, etc. from the of origin to the point at which the device leaves the manufacturer s control point v. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (antivirus software, firewall, etc.) [1] Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff, (October 2, 2014) available at 90.pdf. [2] Section 201(h) of the FD&C Act defines device as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent or other similar or related article, including any component, part or accessory, which is... intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease, in man... or intended to affect the structure of any function of the body of man.... [3]This is a supplement to the FDA s Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices, available at pdf; and Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the- Shelf (OTS) Software available at pdf. [4] General Wellness Policy for Low Risk Devices Guidance for Industry and Food and Drug Administration Staff, (January 20, 2015) available at 74.pdf. [5]This framework tracks the National Institute of Standards and Technology s Framework for Improving Critical Infrastructure Cybersecurity available at [6]Examples of devices that are not considered low risk (and therefore are not considered to be General Wellness Products) include: (i) sunlamp products promoted for tanning purposes; (ii) implants promoted for improved self-image or enhanced sexual function; and (iii) laser products that claim to improve confidence in the user s appearance by rejuvenating the skin. [7]This includes devices that claim to: (i) promote or maintain a healthy weight, encourage healthy eating or assist with weight loss goals; (ii) promote relaxation or manage stress when there is no reference to anxiety disorders or other reference to a disease or condition; (iv) claims to increase or enhance the flow of 4

5 qi; (v) improve mental accuity, instruction following, concentration, problem-solving, multitasking, resource management, decision-making, logic, pattern recognition or eye-hand coordination; (vi) promote physical fitness, such as to help log, track or trend exercise activity, measure aerobic fitness, improve physical fitness, develop or improve endurance, strength or coordination, or improve energy; (vii) promote sleep management, such as to track sleep trends; (vii) promote self-esteem, such as to boost self-esteem; (ix) address a specific body structure or function, such as to increase or improve muscle size or body tone, tone or firm the body or muscle, enhance cardiac function, or enhance or improve sexual performance; (x) improve general mobility or to assist individuals who are mobility impaired or who have limited mobility in a recreational activity; and (xi) enhance an individual s participation in recreational activities by monitoring the consequences of participating in such activities, such as to monitor heart rate or monitor frequency or impacts of collisions. [8]Including Premarket Notifications (501(k)) including Traditional, Special and Abbreviated; De novo submissions; Premarket Approval Applications; Product Development Protocols; and Humanitarian Device Exemption submissions. 5