As innovation in medical technology increases, potential cybersecurity threats also grow. The U.S. Food and Drug Administration (FDA) expects medical device manufacturers to fully incorporate cybersecurity into their quality systems to ensure product safety. The agency recently expanded the scope of a draft guidance on the subject to add more details on what’s expected of manufacturers in terms of device security.
The draft, “Cybersecurity in Medical Devices: Quality Systems Considerations and Content of Premarket Submissions, was issued on April 8, 2022. It replaces a 2018 draft guidance meant to update a final guidance called “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”
This article further highlights FDA’s current expectations for medical device cybersecurity.
FDA on Medical Device Cybersecurity
Manufacturers should be “designing for security rather than bolting on cybersecurity controls in devices,” said Matthew Hazelett, cybersecurity analyst at the Office of Product Evaluation and Quality under the FDA’s Center for Devices and Radiological Health (CDRH). He gave an overview of the proposed guidance during an online presentation on June 14, 2022.
Hazelett made the presentation to help members of the life science industry understand the proposed guidance. Linda Ricci, director of the FDA’s Division of All Hazard Response, Science, and Strategic Partnerships, and Aftin Ross, FDA senior advisor for emerging initiatives, joined Hazelett during a Q&A session. They urged industry members to submit comments on the medical device cybersecurity draft guidance by July 7, 2022.
Once the draft guidance becomes final, it will be applicable to:
- Premarket Notification (510(k)) submissions
- De Novo requests
- Premarket Approval Applications (PMAs) and PMA supplements
- Product Development Protocols (PDPs)
- Investigational Device Exemption (IDE) submissions
- Humanitarian Device Exemption (HDE) submissions
In addition to the above premarket submission types, it is important to note that the guidance also applies to all types of devices within the meaning of section 201(h) of the Federal Food, Drug, and Cosmetic Act, whether or not they require a premarket submission.
Medical Device Cybersecurity Draft Guidance: Highlights
The FDA expanded the proposed guidance’s scope to emphasize that cybersecurity is an integral part of device safety. The wider scope aligns the guidance with the Quality System Regulation (QSR), also known as 21 CFR Part 820.
The draft outlines security objectives medical devices should achieve throughout the total product life cycle (TPLC). Cybersecurity should be integrated into a device’s design in a way that can mitigate possible cybersecurity risks after its release.
Safety risk management is not the same as cybersecurity risk management. “They are two different things that should feed into and out of one another,” Hazelett explained. Safety risk management focuses on physical injury or damage to property or the environment. Security risk goes beyond that, encompassing risks that result in patient harm, or risks related to business or reputational tasks, according to the draft guidance.
To achieve TPLC, the FDA recommends adoption of a Secure Product Development Framework (SPDF) as part of QSR compliance. The draft guidance defines SPDF as “a set of processes that reduce the number and severity of vulnerabilities in products throughout the device lifecycle.”
The SPDF combines security designed into the device and all of a manufacturer’s security risk management efforts. As such, the SPDF should encompass the device’s development, release, and all the way through maintenance and decommissioning. It should be integrated into a manufacturer’s existing quality management system (QMS) as a way to satisfy QSR requirements. The FDA expects that by adopting an SPDF, manufacturers will reduce device exploitability and the associated patient safety risks.
The medical device cybersecurity draft guidance offers recommendations on documentation needed for FDA submissions. This includes documentation in addition to requirements under the 2014 Content of Premarket Submissions guidance. The FDA expects documentation to scale with the risk of the device, meaning the greater the cybersecurity risk, the more proof of mitigation should be submitted.
To demonstrate that a manufacturer’s SPDF is effective, documentation should include metrics such as:
- Defect density, which refers to the percentage of identified vulnerabilities that are updated or patched.
- Time from vulnerability identification to when it is updated or patched
- Time from when an update is available to complete implementation in devices deployed in the field.
Manufacturers are expected to provide appropriate labeling that would communicate relevant security information to device users. Companies should prepare a vulnerability management plan that describes how they intend to maintain post-market device safety and effectiveness.
A new aspect of the draft guidance is the inclusion of a software bill of materials (SBOM) documentation in submissions. SBOM refers to both manufacturer-developed components and third-party components, including purchased/licensed software and open-source software. SBOM documentation is considered an important tool for transparency, and can be part of the required labeling for devices.
Validation & Testing Expectations
Under the draft FDA cybersecurity guidance, security controls require testing beyond standard software verification and validation required by QSR. The agency expects manufacturers to perform cybersecurity testing throughout the SPDF. After the device is introduced to the market, cybersecurity testing should be performed at regular intervals (i.e., annual).
Manufacturer should include in their submissions the results of the following testing recommended by the FDA:
- Security requirement testing
- Threat mitigation
- Vulnerability testing
- Penetration testing
During the Q&A session, FDA officials addressed some of the attendees’ immediate concerns regarding premarket submissions. Manufacturers anticipating submission prior to the draft’s finalization should follow the 2014 Content of Premarket Submissions guidance, according to Ricci.
There’s no timeline as to when the medical device cybersecurity draft guidance will be finalized. There’s a possibility of further revision after the FDA receives industry feedback.
Given the context of new cybersecurity requirements for devices, the question of what’s considered “legacy device” came up. It’s especially relevant for devices that need to connect or interface with devices that use older technologies. Ross said the FDA will consider the nature of the device and not just its age when evaluating cybersecurity risks. The agency plans to prepare a separate guidance on the subject of legacy devices, she added.
In today’s increasingly connected digital landscape, medical devices and hospitals are just as vulnerable to hackers as banks, government agencies, and public utilities. At the height of the COVID-19 pandemic in 2020, the Interpol even issued a warning about cybercriminals using ransomware to hold hospitals and medical services digitally hostage.
The FDA and the industry don’t want to see hackers render medical devices inoperable or use them as entry points into hospital networks. Once finalized, the medical device cybersecurity guidance can help prevent such nightmare scenarios.
Device makers have many concerns about the compliance burden the new guidance will entail. While comments on the draft guidance were due July 7, the docket was still receiving comments from patients, providers and manufacturers at the time of this publication.
About the Author
Stephanie Ojeda is Director of Product Management for the Life Sciences industry at AssurX. Stephanie brings more than 15 years of leading quality assurance functions in a variety of industries, including pharmaceutical, biotech, medical device, food & beverage, and manufacturing.
Related Reading: Cybersecurity for Medical Devices – Who’s Accountable?