Yesterday, the FDA released draft guidance on the management of cybersecurity in medical devices submitted to the agency for premarket review. Noting that cybersecurity threats to the healthcare sector have increased in number and severity, the FDA offered new recommendations for device design, labeling, and documentation that medical device manufacturers will need to consider during premarket submission processes.

The guidance comes shortly after the FDA’s launch of its Medical Device Cybersecurity Playbook, which provides a framework for healthcare delivery organizations to use in preparing for and responding to cybersecurity threats against patient medical devices.

Given rapid changes in technology and increasing innovation in the digital health market, the guidance intends to decrease the risk of cyberattacks that could render medical devices inoperable and potentially harm patients. Comments on the draft guidance are due on March 18, 2019.

Identify, Protect, Detect, Respond, and Recover: Defining New Tiers of Risk

To aid medical device manufacturers in complying with the new recommendations for the design of secure devices, the FDA defines two tiers of devices according to their cybersecurity risk and updates the recommended documentation for all submissions.

Tier 1

Tier 1 “Higher Cybersecurity Risk” devices are defined as those that are capable of connecting, either wired or wirelessly, to another medical or non-medical product, to a network, or to the internet; and could directly result in patient harm to multiple patients if affected by a cybersecurity incident. The FDA notes that examples include “implantable cardioverter defibrillators (ICDs), pacemakers, left ventricular assist devices (LVADs), brain stimulators and neurostimulators, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.”

Tier 1 device manufacturers are recommended to include design documentation in their submissions to demonstrate that the device is trustworthy and secure. FDA recommends that manufacturers develop “trustworthy devices” using the NIST Framework for Improving Critical Infrastructure Cybersecurity and implementation of security controls to reduce cybersecurity risks. Manufacturers are recommended to consider and address 38 security controls in their documentation in order to demonstrate that any “medical device containing hardware, software, and/or programmable logic…(1) is reasonably secure from cybersecurity intrusion and misuse; (2) provides a reasonable level of availability, reliability, and correct operation; (3) is reasonably suited to performing its intended functions; and (4) adheres to generally accepted security procedures.”

Tier 2

Tier 2 “Standard Cybersecurity Risk” devices are those that do not fall under the criteria of Tier 1 devices. Though they may not be deemed to be “high risk” targets for cybersecurity attacks, Tier 2 devices highlight the FDA’s broad-based approach for reviewing all medical devices’ vulnerabilities and its recommendation that manufacturers analyze the risk of exploitability in all new devices.

Premarket submissions of Tier 2 devices should include documentation that the manufacturer incorporated all of the security controls recommended for Tier 1 devices, or provide the FDA with a risk-based rationale for why the controls are not appropriate.

This guidance marks a significant shift in how the FDA will review medical devices and the framework it utilizes to measure risk to patients. The current guidance, which was issued in 2014, contains only 14 security controls and significantly less documentation recommendations for manufacturers to consider.

Informing End-Users of Cybersecurity Risks

The guidance also focuses on the importance of informing end-users of security information through labeling to help mitigate cybersecurity risks. The guidance states that when drafting labeling for inclusion in a premarket submission, a manufacturer should consider all applicable labeling requirements and how informing users through labeling may be an effective way to manage cybersecurity risks.

The FDA provides recommended labeling instructions for manufacturers to consider when determining applicable labeling requirements. While many of the instructions appear to be aimed at healthcare technology management and information technology professionals, one specifically recommends providing a Cybersecurity Bill of Materials (CBOM) for users such as patients, providers, and healthcare delivery organizations. A CBOM lists all software and hardware components so that the user can prepare for cybersecurity threats by “effectively manag[ing] assets, understand[ing] the potential impact of identified vulnerabilities to the device (and the connected system), and deploy[ing] countermeasures to maintain the device’s essential performance.”

The new labeling guidance and the recommendations made in the Medical Device Cybersecurity Playbook indicate that the FDA seeks to increase the resiliency of healthcare delivery organizations against cyberattacks and prevent any disruption of patient care delivery.

Public feedback on the draft guidance may be submitted until March 18, 2019 via https://www.regulations.gov. Medical device manufacturers, particularly those in the digital health space, should analyze the impact of the updated guidance on their devices and take the opportunity to submit comments for FDA consideration. For further assistance, please contact Jodi Daniel (jdaniel@crowell.com) or John Fuson (jfuson@crowell.com).

Print:
LinkedInTweetLikeLinkedInGoogle Plus
Photo of John Fuson John Fuson

John Fuson is a partner in the firm’s Health Care, Advertising & Product Risk Management (APRM), and White Collar and Regulatory Enforcement groups, focusing on U.S. Food and Drug Administration (FDA) enforcement and counseling matters. He is also a member of the Steering Committee for the firm’s APRM Group. Before joining Crowell & Moring, John served as associate chief counsel at the FDA, with broad law enforcement responsibilities, from 2007-2012. John has experience handling all types of major enforcement actions brought by the FDA, including seizure actions, injunction actions, actions for civil money penalties, and contempt actions. His cases have involved drugs, devices, food, and veterinary drugs.

Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Washington, D.C. office and a member of the firm’s Health Care Group, where she provides strategic advice to clients navigating the legal and regulatory environments related to technology in the health care sector. Jodi is the former director of the Office of Policy in the Office of the National Coordinator for Health Information Technology (ONC), U.S. Department of Health and Human Services (HHS). She served for a decade as the director at the ONC and 15 years at HHS, where she helped spearhead important changes in health information privacy and health information technology to improve health care for consumers nationwide.

For more than a decade, Jodi has been responsible for thought leadership, policy development, and identifying policy drivers for health IT activities within the federal government, and ultimately established the HHS’ national health IT policy. As former director at the ONC, she addressed privacy and security issues to ensure that there was clear guidance on how the initial Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules applied to health IT. Jodi set the strategic direction and set policy on consumer e-health and health IT safety. She is also credited with establishing the ONC’s regulatory capacity and led the development of all ONC regulations on health IT standards and certification.

As the first senior counsel for health information technology in the Office of the General Counsel (OGC) of HHS, Jodi developed HHS’s foundational legal strategies and coordinated all legal advice regarding health IT for HHS. She founded and chaired the health information technology practice group within OGC and worked closely with the Centers for Medicare and Medicaid Services in the development of the e-prescribing standards regulations and the Stark and anti-kickback rules regarding e-prescribing and electronic health records.