Yesterday, the FDA released draft guidance on the management of cybersecurity in medical devices submitted to the agency for premarket review. Noting that cybersecurity threats to the healthcare sector have increased in number and severity, the FDA offered new recommendations for device design, labeling, and documentation that medical device manufacturers will need to consider during premarket submission processes.
The guidance comes shortly after the FDA’s launch of its Medical Device Cybersecurity Playbook, which provides a framework for healthcare delivery organizations to use in preparing for and responding to cybersecurity threats against patient medical devices.
Given rapid changes in technology and increasing innovation in the digital health market, the guidance intends to decrease the risk of cyberattacks that could render medical devices inoperable and potentially harm patients. Comments on the draft guidance are due on March 18, 2019.
Identify, Protect, Detect, Respond, and Recover: Defining New Tiers of Risk
To aid medical device manufacturers in complying with the new recommendations for the design of secure devices, the FDA defines two tiers of devices according to their cybersecurity risk and updates the recommended documentation for all submissions.
Tier 1
Tier 1 “Higher Cybersecurity Risk” devices are defined as those that are capable of connecting, either wired or wirelessly, to another medical or non-medical product, to a network, or to the internet; and could directly result in patient harm to multiple patients if affected by a cybersecurity incident. The FDA notes that examples include “implantable cardioverter defibrillators (ICDs), pacemakers, left ventricular assist devices (LVADs), brain stimulators and neurostimulators, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.”
Tier 1 device manufacturers are recommended to include design documentation in their submissions to demonstrate that the device is trustworthy and secure. FDA recommends that manufacturers develop “trustworthy devices” using the NIST Framework for Improving Critical Infrastructure Cybersecurity and implementation of security controls to reduce cybersecurity risks. Manufacturers are recommended to consider and address 38 security controls in their documentation in order to demonstrate that any “medical device containing hardware, software, and/or programmable logic…(1) is reasonably secure from cybersecurity intrusion and misuse; (2) provides a reasonable level of availability, reliability, and correct operation; (3) is reasonably suited to performing its intended functions; and (4) adheres to generally accepted security procedures.”
Tier 2
Tier 2 “Standard Cybersecurity Risk” devices are those that do not fall under the criteria of Tier 1 devices. Though they may not be deemed to be “high risk” targets for cybersecurity attacks, Tier 2 devices highlight the FDA’s broad-based approach for reviewing all medical devices’ vulnerabilities and its recommendation that manufacturers analyze the risk of exploitability in all new devices.
Premarket submissions of Tier 2 devices should include documentation that the manufacturer incorporated all of the security controls recommended for Tier 1 devices, or provide the FDA with a risk-based rationale for why the controls are not appropriate.
This guidance marks a significant shift in how the FDA will review medical devices and the framework it utilizes to measure risk to patients. The current guidance, which was issued in 2014, contains only 14 security controls and significantly less documentation recommendations for manufacturers to consider.
Informing End-Users of Cybersecurity Risks
The guidance also focuses on the importance of informing end-users of security information through labeling to help mitigate cybersecurity risks. The guidance states that when drafting labeling for inclusion in a premarket submission, a manufacturer should consider all applicable labeling requirements and how informing users through labeling may be an effective way to manage cybersecurity risks.
The FDA provides recommended labeling instructions for manufacturers to consider when determining applicable labeling requirements. While many of the instructions appear to be aimed at healthcare technology management and information technology professionals, one specifically recommends providing a Cybersecurity Bill of Materials (CBOM) for users such as patients, providers, and healthcare delivery organizations. A CBOM lists all software and hardware components so that the user can prepare for cybersecurity threats by “effectively manag[ing] assets, understand[ing] the potential impact of identified vulnerabilities to the device (and the connected system), and deploy[ing] countermeasures to maintain the device’s essential performance.”
The new labeling guidance and the recommendations made in the Medical Device Cybersecurity Playbook indicate that the FDA seeks to increase the resiliency of healthcare delivery organizations against cyberattacks and prevent any disruption of patient care delivery.
Public feedback on the draft guidance may be submitted until March 18, 2019 via https://www.regulations.gov. Medical device manufacturers, particularly those in the digital health space, should analyze the impact of the updated guidance on their devices and take the opportunity to submit comments for FDA consideration. For further assistance, please contact Jodi Daniel (jdaniel@crowell.com) or John Fuson (jfuson@crowell.com).