Annals of Health Law - Vol. 26 Issue 1

guidelines and issued device vulnerability notices to assist device manufacturers in producing and managing devices less likely to adversely impact consumers.127 The 2014 Pre-Release Cybersecurity Guidelines addressed incorporating cybersecurity considerations in the design and development of medical devices as part of “software validation and risk analysis... [in] 21 CFR 820.30(g).”128 The FDA recommended incorporating asset identification, threat analysis, and vulnerability reviews into an organization’s device development process, including risk assessment and analysis, to determine residual risk and apply mitigation strategies.129 Such processes should take into consideration the intended use and implementation of a device, such as home use.130 Moreover, medical device manufacturers are encouraged to specify “cybersecurity safeguards” in premarket submission processes, such as “hazard analysis” and “design considerations” for a medical device, and risks like device cybersecurity controls considered or implemented.131

The premarket cybersecurity safeguards recommending asset identification, threat analysis, and vulnerability reviews, reflect a level of standardization in cybersecurity practice.132 These standards incorporate best practice cybersecurity capabilities, such as access and identity management—the capability that bars unauthorized users from accessing a system, code validation and management, cybersecurity incident response capabilities, and business continuity—continuing function of devices even when compromised.133 These standards have been established by the International Electrotechnical Commission (IEC), the “world’s leading

127. See generally U.S. FOOD & DRUG ADMIN., CONTENT OF PREMARKET SUBMISSIONS FOR MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES 1 (2014), http://www.fda.gov/ downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pd f [hereinafter CYBERSECURITY WHITE PAPER].

128. Id. at 3.

129. Id. at 4.

130. Id. (“Manufacturers should also carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use (e.g home use vs. health care facility use).”

131. Id. at 4–5.

132. See, e.g., Michael Muckin & Scott C. Fitch, A Threat-Driven Approach to Cyber Security, LOCKHEED MARTIN 5, http://lockheedmartin.com/content/dam/lockheed/data/isgs/ documents/Threat-Driven%20Approach%20whitepaper.pdf (last visited Sept. 15, 2016) (advocating a threats-assets-controls relational model, which shifts focus from vulnerability analysis to threat analysis); Christopher J. Alberts et al., Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0, CARNEGIE MELLON UNIVERSITY (June 1999), https://resources.sei.cmu.edu/asset_files/TechnicalReport/1999_ 005_001_16769.pdf (describing a security risk management approach involving asset management, vulnerability analysis, and threat identification originating as early as 1999).