Medical Device Cybersecurity Draft Guidance Explainer Series – Security Risk Management 

In April, the FDA published an overhauled draft guidance on medical device cybersecurity for submitting a premarket submission. When finalized, this guidance will supersede the existing 2014 guidance – Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The draft document has been published in response to a rapidly-evolving cybersecurity threat landscape and will change the way that medical device manufacturers manage submissions. 

In a previous post, which we encourage you to check out if you haven’t already, we announced the news, detailing the implications and the evolution of the guidance document. In this explainer series, we will break down the individual components of the document. 

With regards to managing cybersecurity risks, the new draft guidance is broken into three key sections: 

    1. Security Risk Management, which amongst other things mentions the use of threat modeling, SBOMS and security assessment of unresolved anomalies. 
    2. Security Architecture, which discusses the implementation of security architecture controls and secure architecture views.
    3. Cybersecurity Testing, which looks closely at security requirements, threat mitigation, vulnerability testing, and penetration testing.   

In this post, we will take a closer look at Part A, Security Risk Management. 

Security Risk Management 

Security Risk Management is the continuous process of identifying security vulnerabilities and implementing plans to address them. The process for performing security risk management is a distinct process from performing safety risk management as described in ISO 14971:2019.  This is due to the scope of possible harm and the risk assessment factors in the context of security may be different than those in the context of safety. Medical device manufacturers need to establish and implement a risk management strategy to mitigate the risks specific to their products and reduce the risk of cyber-attacks. It is critical for increasing the safety of the medical device and protecting patient health. Outside of patient health there are also risks related to business damaged reputational risks. 

Within the draft guidance document, the following was said about security risk management: 

“To fully account for cybersecurity risks in devices, the safety and security risks of each device should be assessed within the context of the larger system in which the device operates. In the context of cybersecurity, security risk management processes are critical because, given the evolving nature of cybersecurity threats and risks, no device is, or can be, completely secure. Security risk management should be part of a manufacturer’s quality system.” 

The draft guidance goes on to outline the difference between premarket and postmarket security risk management.  

“Exploitability (the ability to exploit vulnerabilities) for a cybersecurity risk during a premarket assessment may be different compared to a risk assessment performed for a postmarket vulnerability. For example, some of the exploitability factors discussed in the guidance (e.g., Exploit Code Maturity, Remediation Level, Report Confidence) may not be applicable to unreleased software. In these instances, a premarket exploitability assessment could either assume a worst-case assessment and implement appropriate controls, or provide a justification for a reasonable exploitability assessment of the risk throughout the total product lifecycle and how the risk is controlled.”  

Five Key Components for Managing Security Risk 

The FDA recommends that manufacturers establish a security risk management process that encompasses design controls (21 CFR 820.30), validation of production processes (21 CFR 330 820.70), and corrective and preventive actions (21 CFR 820.100) to ensure both safety and security risks are adequately addressed. 

Within the document, the FDA outlines five key protocols for managing risk. These include: 

1. Threat Modeling 

Threat modeling includes a process for identifying security objectives, risks, and vulnerabilities across the system, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system throughout its lifecycle. As part of the risk assessment, FDA recommends threat modeling be performed throughout the design process and be inclusive of all system elements. It is also recommended that premarket submissions include threat modeling documentation. 

2. Third-Party Software Components – SBOMs 

 As discussed in the FDA guidances “Off-The-Shelf (OTS) Software Use in Medical Devices” and “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software,” medical devices commonly include third-party software components including off-the-shelf and open-source software. When these components are incorporated, security risks of the software components become factors of the overall medical device system risk management processes and documentation. To control these risks, the FDA highlights the use of a Software Bill of Materials (SBOM).  

We have spoken in the past about the benefits of using SBOMS. SBOMs provide a list of all software components within a given device. Items listed within an SBOM include libraries, drivers, firmware, licenses, and operating systems. Using SBOMs provides all parties with greater transparency and visibility of third-party components. It allows medical device manufacturers to spot potential vulnerabilities and resolve security flaws more efficiently. Nova Leah’s flagship product, SelectEvidence®, allows organizations to automatically ingest and continually monitor SBOMs.  

3. Security Assessment of Unresolved Anomalies 

FDA’s Premarket Software Guidance recommends that device manufacturers provide a list of software anomalies (e.g., bugs or defects) that exist in a product at the time of submission. For each of these anomalies, FDA recommends conducting an assessment of the anomaly’s impact on safety and effectiveness, and consult the Premarket Software Guidance to assess the associated documentation recommended for inclusion in the device’s premarket submission. Some anomalies discovered during development or testing may have security implications that may also be considered vulnerabilities. 

4. Security Risk Management Documentation 

Of course, within the area of security risk management, documentation is incredibly important. In the draft guidance, the FDA recommends that manufacturers provide the outputs of their security risk management processes in their premarket submissions, including their security risk management plan and security risk management report.  

Medical device manufacturers should clearly document and summarize their activities related to cybersecurity. Depending on the risk class of the device, the regulator may require this type of documentation to assess the medical device prior to market entry or may request it during the post-market phase of the product’s life cycle. If required for premarket authorization, clear documentation describing the device’s design features, risk management activities, testing, labeling and evidence of a plan to monitor and respond to emerging threats throughout the product’s life cycle in relation to cybersecurity, should be submitted by the manufacturer. 

5. TPLC Security Risk Management 

In the draft guidance, there is a special note given on carrying out cybersecurity risk management throughout a product’s TPLC (total product life cycle). It is stated that “manufacturers should ensure they have appropriate resources to identify, assess, and mitigate cybersecurity vulnerabilities as they are identified throughout the supported device lifecycle.”  

Sound risk management principles addressing the security and safety domains should be incorporated throughout the life cycle of a medical device. A cybersecurity risk that impacts device safety and essential performance, negatively affects clinical operations, or results in diagnostic or therapeutic errors should also be considered in the medical device’s risk management process. 

Risk management should be used by the manufacturer to take the following steps as part of their risk management process: 

                      • Identify any cybersecurity vulnerability; 
                      • Estimate and evaluate the associated risks; 
                      • Control those risks to an acceptable level; 
                      • Assess and monitor the effectiveness of the risk controls; and 
                      • Communicate risks via coordinated disclosure to key stakeholders. 

Introducing SelectEvidence®

This last component provides the perfect jumping off point to introduce SelectEvidence® from Nova Leah. SelectEvidence® is an expert cybersecurity risk assessment platform from Nova Leah that guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks. It provides manufacturers with an intelligent, automated, and traceable approach to cybersecurity assessments.  

Leveraging SelectEvidence® as an integral part of your product development life cycle for security risk assessment will assure that your connected medical devices meet FDA/EU Pre-market Submission and Post-market Management guidelines. All of the points mentioned throughout this post link closely to SelectEvidence®. And while this guidance document has yet to be finalized there is no doubt that the use of SBOMs and putting correct security risk management protocols in place will play a huge part in the future of medical device cybersecurity.  

To learn more about SelectEvidence, and its role in security risk management, you can organize an obligation-free demonstration here 

Cybersecurity Draft Guidance Series

Introduction – FDA Publishes Draft Guidance on Medical Device Cybersecurity (Pre-Market) 

Explainer Series Part 1 of 3 – Medical Device Cybersecurity Draft Guidance Explainer Series – Security Risk Management

Explainer Series Part 2 of 3 – Medical Device Cybersecurity Draft Guidance Explainer Series – Security Architecture 

Explainer Series Part 3 of 3 – Medical Device Cybersecurity Draft Guidance Explainer Series – Cybersecurity Testing  

Cybersecurity Draft Guidance – Read the new draft guidance in full.