Yesterday, the FDA released draft guidance on the management of cybersecurity in medical devices submitted to the agency for premarket review. Noting that cybersecurity threats to the healthcare sector have increased in number and severity, the FDA offered new recommendations for device design, labeling, and documentation that medical device manufacturers will need to consider during premarket submission processes.

The guidance comes shortly after the FDA’s launch of its Medical Device Cybersecurity Playbook, which provides a framework for healthcare delivery organizations to use in preparing for and responding to cybersecurity threats against patient medical devices.

Given rapid changes in technology and increasing innovation in the digital health market, the guidance intends to decrease the risk of cyberattacks that could render medical devices inoperable and potentially harm patients. Comments on the draft guidance are due on March 18, 2019.

Identify, Protect, Detect, Respond, and Recover: Defining New Tiers of Risk

To aid medical device manufacturers in complying with the new recommendations for the design of secure devices, the FDA defines two tiers of devices according to their cybersecurity risk and updates the recommended documentation for all submissions.

Tier 1

Tier 1 “Higher Cybersecurity Risk” devices are defined as those that are capable of connecting, either wired or wirelessly, to another medical or non-medical product, to a network, or to the internet; and could directly result in patient harm to multiple patients if affected by a cybersecurity incident. The FDA notes that examples include “implantable cardioverter defibrillators (ICDs), pacemakers, left ventricular assist devices (LVADs), brain stimulators and neurostimulators, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.”

Tier 1 device manufacturers are recommended to include design documentation in their submissions to demonstrate that the device is trustworthy and secure. FDA recommends that manufacturers develop “trustworthy devices” using the NIST Framework for Improving Critical Infrastructure Cybersecurity and implementation of security controls to reduce cybersecurity risks. Manufacturers are recommended to consider and address 38 security controls in their documentation in order to demonstrate that any “medical device containing hardware, software, and/or programmable logic…(1) is reasonably secure from cybersecurity intrusion and misuse; (2) provides a reasonable level of availability, reliability, and correct operation; (3) is reasonably suited to performing its intended functions; and (4) adheres to generally accepted security procedures.”

Tier 2

Tier 2 “Standard Cybersecurity Risk” devices are those that do not fall under the criteria of Tier 1 devices. Though they may not be deemed to be “high risk” targets for cybersecurity attacks, Tier 2 devices highlight the FDA’s broad-based approach for reviewing all medical devices’ vulnerabilities and its recommendation that manufacturers analyze the risk of exploitability in all new devices.

Premarket submissions of Tier 2 devices should include documentation that the manufacturer incorporated all of the security controls recommended for Tier 1 devices, or provide the FDA with a risk-based rationale for why the controls are not appropriate.

This guidance marks a significant shift in how the FDA will review medical devices and the framework it utilizes to measure risk to patients. The current guidance, which was issued in 2014, contains only 14 security controls and significantly less documentation recommendations for manufacturers to consider.

Informing End-Users of Cybersecurity Risks

The guidance also focuses on the importance of informing end-users of security information through labeling to help mitigate cybersecurity risks. The guidance states that when drafting labeling for inclusion in a premarket submission, a manufacturer should consider all applicable labeling requirements and how informing users through labeling may be an effective way to manage cybersecurity risks.

The FDA provides recommended labeling instructions for manufacturers to consider when determining applicable labeling requirements. While many of the instructions appear to be aimed at healthcare technology management and information technology professionals, one specifically recommends providing a Cybersecurity Bill of Materials (CBOM) for users such as patients, providers, and healthcare delivery organizations. A CBOM lists all software and hardware components so that the user can prepare for cybersecurity threats by “effectively manag[ing] assets, understand[ing] the potential impact of identified vulnerabilities to the device (and the connected system), and deploy[ing] countermeasures to maintain the device’s essential performance.”

The new labeling guidance and the recommendations made in the Medical Device Cybersecurity Playbook indicate that the FDA seeks to increase the resiliency of healthcare delivery organizations against cyberattacks and prevent any disruption of patient care delivery.

Public feedback on the draft guidance may be submitted until March 18, 2019 via https://www.regulations.gov. Medical device manufacturers, particularly those in the digital health space, should analyze the impact of the updated guidance on their devices and take the opportunity to submit comments for FDA consideration. For further assistance, please contact Jodi Daniel (jdaniel@crowell.com) or John Fuson (jfuson@crowell.com).

Print:
EmailTweetLikeLinkedIn
Photo of John Fuson John Fuson

John Fuson is a partner in the firm’s Health Care, Product Risk Management (PRM), and White Collar and Regulatory Enforcement groups, focusing on U.S. Food and Drug Administration (FDA) enforcement and counseling matters.

Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She…

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She leads the firm’s Digital Health Practice and provides strategic, legal, and policy advice to all types of health care and technology clients navigating the dynamic regulatory environment related to technology in the health care sector to help them achieve their business goals. Jodi is a contributor to the Uniform Law Commission Telehealth Committee, which drafts and proposes uniform state laws related to telehealth services, including the definition of telehealth, formation of the doctor-patient relationship via telehealth, creation of a registry for out-of-state physicians, insurance coverage and payment parity, and administrative barriers to entity formation.

Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is an associate in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy & Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is an associate in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy & Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.