guidelines and issued device vulnerability notices to assist device
manufacturers in producing and managing devices less likely to adversely
impact consumers.127 The 2014 Pre-Release Cybersecurity Guidelines
addressed incorporating cybersecurity considerations in the design and
development of medical devices as part of “software validation and risk
analysis... [in] 21 CFR 820.30(g).”128 The FDA recommended
incorporating asset identification, threat analysis, and vulnerability reviews
into an organization’s device development process, including risk assessment
and analysis, to determine residual risk and apply mitigation strategies.129
Such processes should take into consideration the intended use and
implementation of a device, such as home use.130 Moreover, medical device
manufacturers are encouraged to specify “cybersecurity safeguards” in
premarket submission processes, such as “hazard analysis” and “design
considerations” for a medical device, and risks like device cybersecurity
controls considered or implemented.131
The premarket cybersecurity safeguards recommending asset
identification, threat analysis, and vulnerability reviews, reflect a level of
standardization in cybersecurity practice.132 These standards incorporate best
practice cybersecurity capabilities, such as access and identity
management—the capability that bars unauthorized users from accessing a
system, code validation and management, cybersecurity incident response
capabilities, and business continuity—continuing function of devices even
when compromised.133 These standards have been established by the
International Electrotechnical Commission (IEC), the “world’s leading
127. See generally U.S. FOOD & DRUG ADMIN., CONTENT OF PREMARKET SUBMISSIONS
FOR MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES 1 (2014), http://www.fda.gov/
downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pd
f [hereinafter CYBERSECURITY WHITE PAPER].
128. Id. at 3.
129. Id. at 4.
130. Id. (“Manufacturers should also carefully consider the balance between
cybersecurity safeguards and the usability of the device in its intended environment of use (e.g
home use vs. health care facility use).”
131. Id. at 4–5.
132. See, e.g., Michael Muckin & Scott C. Fitch, A Threat-Driven Approach to Cyber
Security, LOCKHEED MARTIN 5, http://lockheedmartin.com/content/dam/lockheed/data/isgs/
documents/Threat-Driven%20Approach%20whitepaper.pdf (last visited Sept. 15, 2016)
(advocating a threats-assets-controls relational model, which shifts focus from vulnerability
analysis to threat analysis); Christopher J. Alberts et al., Operationally Critical Threat, Asset,
and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0, CARNEGIE MELLON
UNIVERSITY (June 1999), https://resources.sei.cmu.edu/asset_files/TechnicalReport/1999_
005_001_16769.pdf (describing a security risk management approach involving asset
management, vulnerability analysis, and threat identification originating as early as 1999).
133. Id.