Cybersecurity is an ever-moving target, with new vulnerabilities being discovered daily. 2023 had an average of 79 reported vulnerabilities per day! With the Omnibus act, the FDA is empowered and funded to require medical device manufacturers to secure their systems and maintain the security throughout the life-cycle of the device. And a crucial part of that is a robust cybersecurity management plan. The plan needs to include vulnerability monitoring, updates and patches, coordinated vulnerability disclosures, incident response, and up-to-date security documentation. In this blog, I will discuss these important components of your Cybersecurity Management Plan.
Vulnerability Monitoring
New vulnerabilities in your system’s off-the-shelf (OTS) software will likely be discovered while your device is in the market. Your plan must include running the device’s SBOM (Software Bill of Materials) through the CISA and NIST databases on a regular, justifiable schedule. Your security team should also follow security news and get alerts for new critical vulnerabilities. Newly discovered vulnerabilities that could cause uncontrolled risks in your device need to be handled as soon as possible. Make sure your plan elaborates on the personnel involved, timeline, schedule, and methods used for monitoring.
Updates and Patches
Addressing vulnerabilities generally requires a software change, and the processes for updates and patch management should be part of the plan. Establish and document the timelines for managing scheduled and off-schedule software updates, patches, and security fixes. Include the process of testing these updates for compatibility and security before deployment to ensure they do not introduce new risks. Penetration testing should be included for major updates. Don’t forget to Indicate how you intend to communicate patches and updates to customers.
Coordinated Vulnerability Disclosure Process
The FDA requires you to have a Coordinated Vulnerability Disclosure Process, whereby third parties can disclose vulnerabilities they discovered on your medical device. The goal is to promote transparency and cooperation, and to minimize the risk of exploitation. Your plan should describe the established communication channel (such as dedicated email addresses or web portal), through which security researchers can securely report vulnerabilities. The plan should also elaborate on how you will assess and validate the reported vulnerability to confirm its validity and determine the potential impact and risk. Once a vulnerability is confirmed, planned collaboration with the reporting party to address the issue responsibly and discuss potential mitigations is expected.
Incident Response
Your plan needs a cybersecurity incident response process for the case that an incident has been reported on your device. The process needs to include how you will respond to, mitigate, and recover from the event. Include the process to notify the FDA, affected customers, patients, and other relevant stakeholders.
Keep documentation Up-to-date
Maintaining records of changes and updating the risk management documentation is crucial for being able to respond quickly and effectively to new security threats. Your plan should include record keeping of each change, update and patch. Threat modeling needs to be revisited with changes, and new controls added need to be documented. Also, make sure the SBOM stays current for your vulnerability scans.
Summary
The post-market cybersecurity management plan is one of the critically analyzed documents of your FDA submission. Make sure your submitted security management plan provides the unambiguous assurance of on-going cybersecurity maintenance while your device is in the market. If you need help, please contact us, and we will be happy to help with your cybersecurity submission needs.