Blog

Integrating FDA’s new cybersecurity guidance into medical device human factors engineering processes

|
May 21, 2024

Connected medical devices and systems offer patients and healthcare providers many benefits that can improve healthcare delivery and management. However, integrating these connected medical devices and systems into healthcare management introduces the potential for cybersecurity risks to both healthcare organizations and patients. The rising use of wireless and network-connected technologies in medical devices and the exchange of health information emphasizes the critical need for strong cybersecurity measures to maintain device safety and functionality. 

In addition, healthcare faces escalating cybersecurity threats, causing significant disruptions in patient care. Incidents have occurred that rendered medical devices and hospital networks inoperable, leading to potential patient harm due to delays in diagnosis and treatment. Such cyberattacks and exploits may lead to patient harm because of clinical hazards, such as diagnosis and/or treatment delays. As such, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important. 

In response, the FDA has issued a final guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, intended to promote consistency, facilitate efficient premarket review, and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats. In the guidance, the FDA provides recommendations to the industry regarding cybersecurity device design, labeling, testing, and the documentation they recommend be included in premarket submissions for devices with cybersecurity risk. This guidance document applies to devices with cybersecurity considerations, including devices with a device software function or that contain software (including firmware) or programmable logic. 

How does this guidance impact HFE activities for connected medical devices? 

The final document provides guidance on how certain cybersecurity risks should be mitigated, designed, and tested throughout a connected medical device’s human factors engineering (HFE) process. The HFE process should focus on use-related cybersecurity risks or those “transferred to the user.” Based on the guidance, these risks are managed by a user’s actions in place of or in conjunction with another part of the device (i.e., asset, system, network, or geographic area).  

Examples of use-related cybersecurity risks include: 

  • The device has certain product specifications related to recommended cybersecurity controls appropriate for the intended use environment that must be adhered to (e.g., anti-malware software, use of a firewall, password requirements). 
  • The device has specific supporting infrastructure requirements to operate as intended (e.g., minimum networking requirements and supported encryption interfaces).

How does a manufacturer demonstrate compliance with the HFE-related recommendations in this new guidance? 

The guidance lists specific considerations for labeling and testing use-related cybersecurity risks but not the actionable steps for implementing them into the different phases of the medical device’s development lifecycle. Based on several of our team members’ extensive experience working for medical device manufacturers, we suggest implementing the following steps into the design controls product development process to demonstrate and document that adequate steps have been taken to adhere to this guidance.  

The steps below are listed in order as if the adherence to the guidance is implemented at the start of a medical device development lifecycle. However, we recognize that many manufacturers will likely have to implement these strategies once the development has started and is at any given stage within the development lifecycle. As such, these steps may need to be skipped, adjusted, or reordered, given the device’s specific stage of development, circumstances, and constraints.  

Design & development planning

Risk Management Plan: Include content in the Risk Management plan that specifies: 

  • the process to identify use-related cybersecurity risks,  
  • how to mitigate these risks in, at a minimum, the product’s labeling and  
  • that mitigations must be tested via human factors (HF) methods to ensure their effectiveness. 

    HFE Plan: Include content in the HF Plan about: 

    • the process to ensure use-related cybersecurity risks are identified through the use-related risk analysis (URRA) process,  
    • how these risks will be evaluated via analytical and empirical usability testing methods and 
    • which of these risks (i.e., all or only those associated with critical tasks or serious harm) must be tested in HF Summative Validation. 

    Design input

    Cybersecurity Risk Assessment: Identify use-related cybersecurity risks during the Cybersecurity Risk Assessment. To help manage traceability and enhance the visibility of adherence to the guidance, employ a categorization scheme to label each risk type to easily identify which risks are use-related and specify the labeling requirement(s) used to mitigate each risk. 

    Task analysis: Ensure that task analysis covers all use-related cybersecurity use scenarios, workflows, and tasks associated with device use. 

    Use/Application FMEA & URRA: Evaluate use-related cybersecurity risks in the Use/Application Failure Mode and Effects Analysis (FMEA) to ensure adequate mitigation measures are implemented in the user interface’s design and labeling. Document these risks in the Use-Related Risk Assessment (URRA). 

    User interface requirements & specifications: Develop user interface requirements and specifications with the input of HF team members. Mitigation strategies should include user interface design (i.e., inherent safety by design or protective measures) and labeling approaches. As stated in the FDA’s 2016 HFE guidance, information for safety (which includes training and instructions for use (IFU)) is the least preferred method of controlling use-related risks. Therefore, user interface design strategies are preferred. Information for safety should be used as a supplementary control measure in addition to the more robust controls built into the user interface design of the device.   

    Design output

    User interface design: Product labeling (e.g., device labels or markings, IFU, training) must be implemented to adequately mitigate use-related cybersecurity risks in addition to other user interface design controls implemented based on the output of the u/aFMEA. The labeling should be designed to communicate to users the relevant device security information so that users can take appropriate actions to manage those types of risks that may enable their ongoing security posture or an organization’s overall state of cybersecurity readiness, thereby helping ensure a device remains safe and effective throughout its lifecycle. To ensure that labeling is implemented effectively, consider the following when developing labeling strategies: 

    • Review the examples in the guidance document to determine applicability to the medical device under development. 
    • The depth of detail, the exact location in the labeling for specific types of information (e.g., operator’s manual, security implementation guide), and the method to provide this information should account for the intended user of the information (e.g., is the user a patient or caregiver with limited technical knowledge? or is the user a hospital technician with significant technical knowledge and experience?).

    Usability test plans/protocols: Include tasks associated with use-related cybersecurity risks in formative usability studies to ensure risk-mitigating controls are designed effectively, that labeling controls are understandable, and that users have the information they need to take appropriate actions to manage these risks. 

      Validation 

      HF Summative Validation study: Include use-related cybersecurity tasks in the HF Summative Validation study to validate the controls mitigating these types of risks. Performance-based and knowledge-task evaluation methods should include labeling implemented to control for use-related cybersecurity risks.  

      HFE report: Document the process used to appropriately identify, mitigate, and test use-related cybersecurity risks during the HFE process throughout the device’s development lifecycle in the HFE report.  

      Although this guidance focuses specifically on the recommendation to implement and test labeling controls to mitigate use-related cybersecurity risks, the steps listed above go beyond this type of control strategy to include non-labeling-based controls within the medical device’s user interface design. This recommendation is based on the 2016 FDA HFE guidance document, which indicates that labeling, or information for safety, is the least effective risk mitigation control strategy when used alone and based on HFE best practices. Furthermore, since the FDA has released guidance on this topic, they will likely have use-related cybersecurity risks at the top of their minds when reviewing HF submissions for devices with these types of risks. The plan we’ve outlined maximizes mitigating these types of risks to reduce them to be as low as possible. Lastly, the approach presented here provides a comprehensive strategy that ensures cybersecurity risk management is embedded into the design-controls process and that human factors engineering is part of the process.  

      Human factors guidance constantly changes to keep up with new device technologies and risks, and FDA regulatory recommendations are also evolving. The right human factors research partner can guide your connected medical device development through this changing landscape, and Bold Insight has the experience to help. 

      If you’re interested in starting a conversation, reach out! We’d love to hear from you!