Here’s this week’s example of an Additional Information Request (AI Request):
FDA Additional Information Request - Example #22: Inadequate Information on Detection, Response, and Recovery Controls
Based on the information provided, it is not clear how the device detects, monitors, logs, and/or alerts users of security compromise. You did not indicate how the device would alert a cyber intrusion outside of the end user noticing a problem with the device during operation. Adequate detection, response, and recovery controls are important to comply with the requirements specified in section 524B(b)(2) of the Federal Food, Drug, and Cosmetic Act to provide a reasonable assurance that the device and related systems are cybersecure. It is also consistent with recommendations in Section 5 of the FDA guidance document “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”, for manufacturers to address the following:
- Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use;
- Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event;
- Implement device features that protect critical functionality, even when the device’s cybersecurity has been compromised; and
- Provide methods for retention and recovery of device configuration by an authenticated privileged user.
Inadequate detection, response, and recovery methods can impact the safety and effectiveness of the device during a cybersecurity exploit. Therefore, for each item above, please provide a description of how the device design addresses each item.
In this example, the FDA is asking for information about how the manufacturer is handling the cybersecurity requirements regarding detection, response, and recovery controls as part of the design of the medical device. Other than an observant end user noticing a problem with the device during operation, the submission failed to address key provisions of FDA guidance necessary to ensure the device and related systems are cybersecure.
Four key areas which the manufacturer must address are:
- Features to support the detection, recognition, recording with timing, and provide actions to be taken when the device has been compromised during normal use
- Document for the end user, typically as part of the Instructions for Use (IFU) or other labeling, the appropriate actions which should be taken in the event of a cybersecurity event
- Ensure the design has features that protect its critical functionality, even when the device has been compromised
- Support the recovery of the device from a cybersecurity event by providing methods for the device to retain critical device configuration and allow an appropriately authenticated user to recover the configuration
Documentation which is affected by the FDA’s requirements include:
- System requirements and design to require and implement these features
- Threat Modeling and Vulnerability Analysis to ensure the security of the implementation
- Verification of the proper implementation, by means of static analysis, software unit & integration testing, software requirements testing of cybersecurity requirements, and system level penetration testing
As the effort to remediate a failure in implementing these cybersecurity controls can be very costly in terms of cost, schedule, and performance, it’s critical to ensure engineering these controls in from the beginning.
Please follow us on LinkedIn to see more examples of AI Requests – a new one is released every week.
Should you receive an Additional Information Request from the FDA, CriTech is here to help. Please give us a call to discuss and we’ll help you craft what you need to do going forward.