FDA Publishes Draft Guidance on Medical Device Cybersecurity (Pre-Market) 

On April 8th 2022, the FDA published an overhauled draft guidance on medical device cybersecurity for submitting a premarket submission. If followed, experts say the new draft guidance will fundamentally improve device security and patient safety. The guidance is currently out for comment and those within the medical device industry are being encouraged to submit comments and suggestions regarding the document within ninety days of its publication.  

The draft document has been published in response to a rapidly-evolving cybersecurity threat landscape. Below is an extract from the introduction of the draft document: 

“Cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally. Such cyber-attacks and exploits may lead to patient harm as a result of clinical hazards, such as delay in diagnosis and/or treatment.” 

Timeline of Cybersecurity Guidance 

The new draft guidance has been a long time coming. In 2014, the FDA issued final cybersecurity guidance which addressed the premarket expectations of medical device manufacturers. This guidance was in place for the better part of a decade.

The threat landscape has grown more sophisticated and connected medical devices have become even more prominent in the meantime. So, in 2018, this document was updated and built upon as the FDA issued a new premarket cybersecurity draft guidance. This version was not to be, however. After receiving a huge amount of feedback from industry stakeholders, the FDA decided it would reissue a whole new draft guidance with significant changes rather than simply finalizing the 2018 draft guidance. This long-awaited, overhauled version is what has been published in the past month. 

When finalized, this guidance will supersede Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Final Guidance, October 2, 2014. 

Draft guidance – ‘Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions’  

The new FDA draft guidance details a total product lifecycle approach to cybersecurity with recommendations for how medical device manufacturers should address security in premarket submissions in order to maintain their software-based products post
market. The new guidance document is almost fifty pages long, a huge increase from its preceding document which had a total of 9 pages. This alone speaks to how much more robust the new guidance is and how much it has evolved.  

The new draft guidance asks medical device manufacturers to think about cybersecurity in the context of the agency’s quality system regulation (QSR):  

Device manufacturers must establish and follow quality systems to help ensure that their products consistently meet applicable requirements and specifications

In the premarket context, in order to demonstrate a reasonable assurance of safety and effectiveness for certain devices with cybersecurity risks, documentation outputs related to the requirements of the QSR may be one source of documentation to include as part of the premarket submission. 

It also advises medical device manufacturers to consider using a Secure Product Development Framework (SPDF) in order to reduce the number and severity of vulnerabilities in their products:

“Cybersecurity threats have the potential to exploit one or more vulnerabilities that could lead to patient harm. The greater the number of vulnerabilities that exist and/or are identified over time in a system in which a device operates, the easier a threat can compromise the safety and effectiveness of the medical device.  

A Secure Product Development Framework (SPDF) is a set of processes that help reduce the number and severity of vulnerabilities in products. An SPDF encompasses all aspects of a product’s lifecycle, including development, release, support, and decommission. Additionally, using SPDF processes during device design may prevent the need to re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered.” 

Further along, the use of threat modeling and software bill of materials (SBOMs) are identified as ways of managing security risk. This builds upon advice issued as part of Joe Biden’s Cybersecurity Executive Order which cited SBOMs as a means to strengthen security. It also comes as a consequence of the pushback that arose after the 2018 draft document was released. In that version, a cybersecurity bill of materials (CBOM) was identified as a “critical element in identifying assets, threats, and vulnerabilities”. The new guidance document asks medical device manufacturers to provide a SBOM instead of a CBOM. 

A Three Part Explainer Series from Nova Leah  

With regards to managing cybersecurity risks, the new draft guidance is broken into three key sections:

                    1. Security Risk Management, which amongst other things mentions the use of threat modeling, SBOMS and security assessment of unresolved anomalies.
                    2. Security Architecture, which discusses the implementation of security architecture controls and secure architecture views.  
                    3. Cybersecurity Testing, which looks closely at security requirements, threat mitigation, vulnerability testing, and penetration testing.  

In a three-part series, Nova Leah will be breaking down the recommendations listed in these sections. We will take a deep dive into what it all means for medical device manufacturers and why these protocols have been suggested as a way to strengthen cybersecurity for medical devices.

We will also be detailing how solutions offered by Nova Leah can assure that your connected medical devices meet FDA/EU Pre-market Submission and Post-market Management guidelines throughout the entire product development life cycle. 

The first part of this explainer series can be found here. In it, we discuss security risk management.